Ruby is shipping a vulnerable jQuery

No this isn't a report about the website! Ruby ships Darkfish as part of RDoc https://github.com/ruby/ruby/tree/HEAD/lib/rdoc/generator/template/darkfish https://github.com/ruby/rdoc/tree/master/lib/rdoc/generator/template/darkfish https://github.com/ged/darkfish Darkfish includes jQuery v1.6.4, which is vulnerable to multiple CVEs, for example https://nvd.nist.gov/vuln/detail/CVE-2012-6708 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 Now I'm not sure how applicable these CVEs are to the generated HTML, or how likely it is someone would use the jQuery from this file in the rest of their site accidentally by including generated HTML, but I do think it's a problem to be shipping a version of jQuery that is getting towards a decade old. Maybe Darkfish should update? But who's going to do that work? Maybe we shouldn't ship Darkfish if nobody can update it? What do people think should be done? I ship my own implementation of Ruby and I'm not happy with shipping this old version so may have to remove Darkfish myself. ## Impact Low. Possibly a risk that someone includes RDoc generated HTML on their site and accidentally uses this jQuery for the rest of their site and makes themselves vulnerable to the CVEs.