Hi there,

I can see updating YUI has been discussed previously (some time ago) in https://tracker.moodle.org/browse/MDL-49535

A recent penetration test has highlighted a few vulnerabilities with yui 3.17.2 modules such as "qs": https://snyk.io/test/npm/yui/3.17.2

The suggested remediation is to update to yui 3.18.0, but if the modules are not used by Moodle perhaps this is not necessary? I am unsure of if Moodle HQ would have a policy regarding that so I think it's best to be safe and at least raise this tracker.

My understanding is that YUI is in the process of being deprecated but is still used within several Moodle modules and plug-ins, so that may also be a factor in if this is worth doing.

Let me know if you need to know anything else, please close if not needed.