I am extremely interested in exploring R Shiny for my work.
As part of my Company’s due diligence, there are protocols for security reviews of Open-Source software.
In addition to the underlying piece of software that Posit has written for Shiny, there are numerous other Open-Source components that have been incorporated, as indicated at https://cran.r-project.org/web/packages/shiny/LICENSE.
Some of these additional components have raised concerns. Most notably:
showdown.js
• showdown.js has an open security vulnerability that was discovered in 2024 in the current version and has yet to be remediated by the developer. No code updates in the past 3 years. While the CVE is only a medium risk, this doesn't speak well for the support available should a more significant vulnerability be discovered.
CVE-2024-1899 — Denial of Service Vulnerability
bootstrap-accessibility-plugin
• There is on open security issue with this plugin for its use of an outdated jQuery version. Security vulnerability: reliance on EOL jQuery version · Issue #122 · paypal/bootstrap-accessibility-plugin · GitHub and the code base has not been updated since 2018, so a fix is highly unlikely.
selectize.js
• The latest version of selectize.js is v0.15.2 was released on November 18, 2022, and appears to no longer have continued support from the developer based on the lack of response to open issues. There are no past or current CVEs, so vulnerability risk appears low, but lack of support could be an issue
selectize-plugin-a11y
• Code has not been updated since 2020 and has been abandoned by the developer. Per the GitHub repository "This repository was archived by the owner on Jan 7, 2025. It is now read-only."
There was one XSS vulnerability, corrected in 2019. There are no current open issues.
If a new security vulnerability is discovered and the developer will not provide an updated release, then […]must assume responsibility for correcting the open-source code or must uninstall the product.
In addition, even for other components where Security indicated “no concerns”, there is a requirement that: “Must be maintained at latest version.”
I know that Shiny is well used in the industry and that there is significant adoption and user base. I have to believe that these security concerns have been mitigated and addressed.
If anyone can provide feedback as to these potential security concerns and any information about any steps taken to ensure that their incorporation into Shiny does not create any security vulnerabilities, that would be much appreciated.
Does anyone know if the Open-Source components are updated to their most recent version?
Thank you