Security request: Updating tabbable.js and focus-trap.js in Alpine.js Focus Plugin

[mboelling]

As part of a professional penetration test conducted by the Landesamt für Sicherheit in der Informationstechnologie (LSI), the official governmental authority for information security in Bavaria (Germany), a finding was raised regarding dependencies used in the Alpine.js Focus Plugin.

The test identified that the plugin currently includes the following libraries via Alpine.js:

tabbable.js v5.3.3
focus-trap.js v6.9.4

These outdated Versions a part of all livewire Versions 2.x - 4.x, too.

According to the assessment of the LSI, these versions are considered end-of-life or security-critical, because of the security policies for those two packages (https://github.com/focus-trap/tabbable/security and https://github.com/focus-trap/focus-trap/security) in which only the newest Versions are supported.

The authority explicitly states that this finding can be regarded as remediated if Alpine.js (or Livewire as a consuming framework) ensures ongoing security maintenance of these dependencies. This includes timely updates to supported versions or the implementation of appropriate mitigation measures, in line with the German public-sector security guideline BayITS-01.

Against this background, I would like to ask whether an update of tabbable.js and focus-trap.js to their current maintained versions ( tabbable.js 6.4.0, focus-trap.js 7.8.0 ) in the Focus Plugin’s package.json is planned or could be addressed in the near future. Such an update would allow affected users to formally close this finding in their security documentation.

I am convinced that this affects a number of projects with increased security requirements in public administration within Germany.

It could also be mitigated by an adapted security policy.

To a certain extent, financial resources are also available to fix this bug more quickly.

Kind regards,
Markus Bölling

[joshhanley]

@mboelling thanks for reporting! I've submitted PR #4737 with a fix.