The following XSS and prototype pollution vulnerabilities are present in the legacy version of jQuery included in pander (v1.7.2): - CVE-2019-11358 - CVE-2020-7656 - CVE-2020-7656 It appears that `jquery.min.js` is required for `slimbox2.js` which is called in `custom.js`. All three are included in `inst/includes/html/header.html`. Is it possible to update jQuery to 3.6.x? I'm happy to submit a PR for this, let me know.