Outdated frontend dependencies include CVEs

[AnsgarH1]

Expected

Frontend dependencies are included from recent CDN versions or with a package manager, as well as use the latest major version. Best case would be that some tooling like renovate keeps them up to date.

Actual

The hardcoded frontend dependencies in src/static.html are multiple major versions outdated, and esp. the bootstrap dependency contains CVEs which get flagged in our SAST tooling.

Steps to reproduce

Analyze the static export of any diagram by any SAST tool.

Version/build information

structurizr-cli: 2025.05.28
structurizr-java: 4.1.0
Java: 24.0.1/Homebrew (/opt/homebrew/Cellar/openjdk/24.0.1/libexec/openjdk.jdk/Contents/Home)
OS: Mac OS X 15.4.1 (aarch64)

Severity

Critical

Priority

Low (I'm willing to make a pull request - please confirm approach first)

More information

No response

[AnsgarH1]

@simonbrowndotje any response would be great. I am willing to help out with a PR.

[simonbrowndotje]

I've updated Bootstrap, but that's about all that I can do at the moment unfortunately. Backbone and Lodash will disappear with an upgrade to JointJS 4.x, but that's a much bigger task as there are breaking changes that cause the diagram renderer to stop working.