Add ability to have exclusions, and add one for jquery 1.12.4-aem

[wyhaines]

At Bright Security, we've encountered a situation where retirejs incorrectly identifies a version of jquery as vulnerable when it is not.

The standard jquery version 1.12.4 is vulnerable to several CVEs. However, Adobe maintains a patched version (1.12.4-aem) that is not vulnerable.

This change adds the ability to exclude certain results from positive matches, so that patched versions of vulnerable libraries don't cause false positives. This capability is used to exclude jquery 1.12.4-aem, which is a version patched by Adobe to fix the vulnerabilities that exist in 1.12.4.

I have also added some tests for the functionality.

I didn't see any contributing guidelines, so please let me know if you have any questions, or if there is anything that you would like to see changed.

[eoftedal]

Hi @wyhaines. This is an excellent addition!
One minor change request: The purpose of the versioned repository JSONs is to not affect the format of the older ones as retire.js and some other software depends on them and are rigid on format validation. So we would have to introduce a v5 and avoid this new field in jsrepository.json + v2-v4, and change cli.ts to load the v5 version.

[wyhaines]

That makes sense. Thanks for the context. I will take a look at making that change.

[eoftedal]

Thank you! We should also consider dropping some of the .strict() calls in the zod repo parser. Let me know if you have any views on which ones to drop.

[eoftedal]

Btw, @wyhaines, I can fix the versioning if you dont have time.

Do you by any chance have a copy of the aem version so I can test with it?

[wyhaines]

I am committing the updated pr. I don't have a copy of this particular library. We encountered this issue in the wild, on a client's system. I will see if I can get a copy and will let you know.

…

On Tue, Nov 11, 2025, 2:51 AM Erlend Oftedal ***@***.***> wrote: *eoftedal* left a comment (RetireJS/retire.js#492) <#492 (comment)> Btw, @wyhaines <https://github.com/wyhaines>, I can fix the versioning if you dont have time. Do you by any chance have a copy of the aem version so I can test with it? — Reply to this email directly, view it on GitHub <#492 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAADFQAVE2OWR4F2D23HSWD34GWT3AVCNFSM6AAAAACLFPUWCKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKMJVHEZTMNZTGU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[eoftedal]

I found different versions on github:

• a regular version which is patched
• a minified version that actually isn't patched
• another minified version which is missing one patch
• a third minified version which has same patches as the regular version

[wyhaines]

Oh, that's fun. I am waiting for a response back from the affected client on this. However, you tracked down 4 versions, all with the same version string, with three different patch sets?

(sigh)

[eoftedal]

Yes, and they all have the same header including the same timestamp:

/*!
 * jQuery JavaScript Library v1.12.4-aem
 * http://jquery.com/
 *
 * Includes Sizzle.js
 * http://sizzlejs.com/
 *
 * Copyright jQuery Foundation and other contributors
 * Released under the MIT license
 * http://jquery.org/license
 *
 * Date: 2016-05-20T17:17Z
 */

Edit: The timestamp (2016-05-20T17:17Z) is the original jQuery 1.12.4 timestamp

[eoftedal]

From what I understand Adobe is supposed to have patched this file, but it makes me wonder if they released several version of this patched file.
In the list of minified versions above, the difference between the first two, is the Prototype pollution patch (CVE-2019-11358):

Here is the comparison. They all patch CVE-2015-9251 (so my initial analysis was wrong on this CVE)

Given this analysis it would be hard to say anything about a detected 1.12.4-aem version except for CVE-2015-9251.

[wyhaines]

Yeah. This is not what I was expecting, given the problem description I initially had to work with. I am still awaiting a copy of 1.12.4-aem from our side, but I am wondering what you would like me to do here? Revert all of the repository changes completely while leaving the capability to add an exclusion in the future?

[eoftedal]

I would like to keep the exclusion. It is still valid for CVE-2015-9251 for all -aem versions.
So I guess the required changes are:

1. Add a v5 repo and set retire.js to load that as the default repository in cli.ts (I'll deal with the chrome extension)
2. Modify convertToVersioned / convertFormat.js to only copy exclusions over to v5
3. Modify the master repo to only have the exclusion for CVE-2015-9251

BTW: I have added the ability to test a custom jQuery version on the jQuery test website: https://research.insecurelabs.org/jquery/test/
Just plug in the URL and click "Run custom".

[eoftedal]

I was able to find more examples through websites listed on https://trends.builtwith.com/websitelist/Adobe-Experience-Manager