We are hoping to address CVE -CVE-2019-11358 in the jQuery library provided with AEM.
In versions prior to 6.4, we would overlay /libs/clientlibs/granite/jquery and apply security patches based on recommendations from the jQuery team.
However, starting with 6.4, the /libs/clientlibs/granite nt:folder node has the granite:InternalArea mixin applied.
With that, we are no longer able to overlay jQuery and patch it ourselves per documentation here: Adobe Experience Manager Help | Sustainable Upgrades
"Internal (granite:InternalArea) - Defines a node as internal. Nodes classified as internal cannot be overlaid, inherited, or used directly. These nodes are meant only for internal functionality of AEM"
So we are dependent on Adobe releasing a patched version of the jQuery clientlib, with a fix for the jQuery.extend method.
We are going to override the method in our own scripts to get around the issue, but we are hoping there is a CFP or Service Pack with an update to the jQuery client library.