Consider updating jQuery dependency to 3.4.0 or newer

[joelverhagen]

My team runs Azure DevOps Component Governance (per internal security requirements) and we received a notice that the following project template is impacted by CVE-2019-11358 affecting jQuery before 3.4.0.

cli/sdk/2.2.100-preview3-009430/Templates/microsoft.dotnet.web.projecttemplates.2.2.2.2.0-preview3-35497.nupkg

I looked inside this template and found jQuery 3.3.1.

I also looked at the latest version of the template and the source code in this repository and see that 3.3.1 is still used: e.g.

aspnetcore/src/ProjectTemplates/Web.ProjectTemplates/content/StarterWeb-CSharp/wwwroot/lib/jquery/dist/jquery.js

Line 2 in 7def102

* jQuery JavaScript Library v3.3.1

We don't specifically use this template but Component Governance picked up on it since we happened to install the CLI at build time inside the directory that it scans.

It's probably worth considering updating the template to jQuery 3.4.0 so consumers of the template don't have to be worried about this CVE.

I see there is another issue of removing jQuery (#8573) but I imagine updating the minor version of jQuery is a cheaper fix for this particular issue.

[rynowak]

Note that this bug was filed against 2.2 - but we're still using jQuery 3.3.1 so this is still a relevant issue. @mkArtakMSFT

[wenz]

Other templates also use the old jQuery version. I'm creating a PR which updates them all to 3.4.1.

[wenz]

Update: I found jQuery 2.2.0 - it's in the ClaimsTransformation and Cookies samples under src/Security/samples.

[HaoK]

Fixed for 5.0 in #20356 will port to 3.1/2.2 next

[wenz]

jQuery 3.5.1 was released. Should I open up a new issue, update the existing PR, or create a new one?

[HaoK]

Probably a new PR would be best, since the other PR was already merged, but might be worth considering updating to 3.5.1 before porting the first PR to servicing

[wenz]

Will work on it today.

[mkArtakMSFT]

@captainsafia is this done already?