I'm sending this reply separately so I can bring the topic to the attention of all our deployment projects without bloating the subject line of the first post, since it seems like at least some of them are falling into this trap and I'm not sure how to tell which ones (if any) aren't. I've also included the Packaging SIG in order to hopefully reach some of our downstream distribution package maintainers.
In short, the XStatic packages we rely on for Horizon's integration of JavaScript libraries include convenience copies of those JS libs which are not to be assumed safe for production use, since we're not the actual authors of that code and are unable address known security vulnerabilities in them. See my longer message for all the details:
https://lists.openstack.org/pipermail/openstack-discuss/2022-August/029825.h...