Envato, I hate to say it, but you are actively, and willingly, distributing vulnerable code, turning your customers websites into hacking magnets!
Don’t get me wrong, I like your site, and the concept of selling re-usable code. But, when that code is based on a platform, keeping track of which version of the platform the code was based on becomes crucial information that must be included and disclosed PRIOR to the sale.
Any template, theme, platform-based code, etc, MUST provide any initial, updated and current versions of any platform the code was based on (js, bootstrap, CMS, etc.). Right now, customers are flying blind until AFTER we’ve purchased a product (and searching through the actual code), thinking we’ve saved a crap ton of time, only to find out we have to re-write the damn thing ourselves. FFS, it defeats the whole purpose of your site, not to mention the whole legal ramifications turning every customer’s site into a hacking magnet!
As it stands, you have vulnerable products that have been sold for years. Some sellers have kept their products up-to-date, others have not. Any seller that has not, should be a little suspect. (I’m not saying they’re all bad actors, but it only takes one, right?) If you make at minimum versioning details, and hopefully in the near future verification a requirement, then you can automate this whole process, disabling products when vulnerabilities are discovered, until they are updated. Until then, how are we supposed to address vulnerable products that are ACTIVELY for sale in YOUR marketplace? Because, I just inherited one developed with jquery 2.1.3 and bootstrap 3.3.4, re-bought it, thinking the update from a year ago would’ve included jquery and bootstrap updates, but it didn’t. (The update log did not specify any versioning, either.)
BTW, when the vulnerabilities were brought up in the comments of this particular template, the seller said there are no plans to update it, but I’m free to update it on my own! Brilliant!! Side note, that site template has been sold more than 4,400 times! That’s quite a honeypot!
One Frustrated Bird,