Release Notes - HeroDevs Never‑Ending Support

1.7.5 (NES) - December 2025

This version includes the following security fixes:
- A high-severity Prototype Pollution vulnerability (CVE-2021-23450) in the dojo.setObject and dojo.getObject functions. When user-controlled property paths containing __proto__ or constructor are processed, attackers can pollute Object.prototype, leading to property injection that can affect JavaScript objects.
Full package name and version:
- @neverendingsupport/dojo@1.7.2-dojo-1.7.5

This version includes the following security fixes:
- A medium-severity Cross-Site Scripting (XSS) vulnerability (CVE-2018-6561) in dijit.Editor when using the ViewSource plugin. When users enter malicious HTML containing event handler attributes (such as onload, onclick, onerror) in source edit mode, attackers can inject arbitrary JavaScript that executes when the editor content is rendered or interacted with, leading to XSS attacks.
- A low-severity Cross-Site Scripting (XSS) vulnerability (CVE-2020-4051) in the dijit.Editor LinkDialog plugin. When user-controlled data containing unescaped HTML is entered in the link description field, attackers can inject arbitrary HTML tags and JavaScript event handlers, leading to XSS attacks.
Full package name and version:
- @neverendingsupport/dijit@1.7.2-dijit-1.7.5

This version includes the following security fixes:
- A medium-severity Cross-site Scripting (XSS) vulnerability (CVE-2019-10785) that affects Dojox due to insufficient escape handling in dojox.xmpp.util.xmlEncode and related functions. Attackers could inject malicious scripts through unescaped user-supplied content in XML contexts, widget labels, and template attributes.
- A low-severity Prototype Pollution vulnerability (CVE-2020-5259) affecting the Dojox jQuery wrapper. The jqMix method allowed attackers to inject properties into JavaScript language construct prototypes by manipulating the special __proto__ and constructor properties during object mixing operations, leading to property injection that can affect JavaScript objects.
Full package name and version:
- @neverendingsupport/dojox@1.7.2-dojox-1.7.5

This release of dojo is to maintiain version synchronization across Dojo, Dijit, and Dojox packages. There are no functional changes in this release.
Full package name and version:
- @neverendingsupport/dojo@1.7.2-dojo-1.7.4

This release of dijit is to maintiain version synchronization across Dojo, Dijit, and Dojox packages. There are no functional changes in this release.
Full package name and version:
- @neverendingsupport/dijit@1.7.2-dijit-1.7.4

This version includes the following security fixes:
- Fixes a critical-severity Cross-Site Scripting (XSS) vulnerability (CVE-2018-15494) in dojox.grid.DataGrid editable cells. When user-controlled data containing unescaped double quotes is rendered in editable grid cells, attackers can inject arbitrary HTML attributes and JavaScript event handlers, leading to XSS attacks.
Full package name and version:
- @neverendingsupport/dojox@1.7.2-dojox-1.7.4

This release originates from the open-source dojo repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful building. This release contains no functional changes from dojo 1.7.2.
Full package name and version:
- @neverendingsupport/dojo@1.7.2-dojo-1.7.3

This release originates from the open-source dijit repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful building. This release contains no functional changes from dijit 1.7.2.
Full package name and version:
- @neverendingsupport/dijit@1.7.2-dijit-1.7.3

This release originates from the open-source dojox repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful building. This release contains no functional changes from dojox 1.7.2.
Full package name and version:
- @neverendingsupport/dojox@1.7.2-dojox-1.7.3