Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
asigno Posted May 30, 2018 Posted May 30, 2018 Hi, IPB is using jQuery 2.2.4 and it's been pointed out to me that it has XSS vulnerabilities https://snyk.io/test/npm/jquery/2.2.4 and I should upgrade to v3. Has anyone tested updating this to a new version? Cheers
bfarber Posted September 24, 2018 Posted September 24, 2018 We don't (out of the box) use cross-domain requests so the reported issue is sort of moot. That said, no it's not as simple as dropping in jQuery 3. Upgrading jQuery is something we're investigating for a future release, however.
asigno Posted January 10, 2019 Author Posted January 10, 2019 On 9/25/2018 at 2:40 AM, bfarber said: We don't (out of the box) use cross-domain requests so the reported issue is sort of moot. That said, no it's not as simple as dropping in jQuery 3. Upgrading jQuery is something we're investigating for a future release, however. @bfarber Hi, I noticed that 4.4 still has version 2.2.4 of Jquery, will this be changed for the public release?
Ryan Ashbrook Posted January 10, 2019 Posted January 10, 2019 8 minutes ago, asigno said: @bfarber Hi, I noticed that 4.4 still has version 2.2.4 of Jquery, will this be changed for the public release? No - as Brandon mentioned, 2.2.4 is the last release of the 2.x series, and we cannot simply drop in jQuery 3, as that may require massive changes to the suite which we are not comfortable with doing this late in 4.4 development.
Joy Rex Posted January 11, 2019 Posted January 11, 2019 jQuery 2.2.4 (which is the last of the 2.x series) is no longer receiving patches. I know from experience updating to jQuery 3.x is a PITA, so may I suggest taking the route (since it will be a PITA anyway) of dropping jQuery entirely and redo all the scripting in plain JavaScript instead? I know this won't be something for consideration for 4.4 (or probably 4.5), but 5.0 should remove this dependency. With browser differences quickly becoming minimal these days, the need for something like jQuery is becoming less critical.
bfarber Posted January 11, 2019 Posted January 11, 2019 39 minutes ago, Joy Rex said: jQuery 2.2.4 (which is the last of the 2.x series) is no longer receiving patches. I know from experience updating to jQuery 3.x is a PITA, so may I suggest taking the route (since it will be a PITA anyway) of dropping jQuery entirely and redo all the scripting in plain JavaScript instead? I know this won't be something for consideration for 4.4 (or probably 4.5), but 5.0 should remove this dependency. With browser differences quickly becoming minimal these days, the need for something like jQuery is becoming less critical. What benefits do you believe would be gained by dropping support for jQuery?
silenceheaven Posted January 11, 2019 Posted January 11, 2019 30 minutes ago, bfarber said: What benefits do you believe would be gained by dropping support for jQuery? The learning experience and trying to keep it under the jQuery 2.2.4 minified size of 84kb 😄 Sounds like an anxiety roller coaster!!!
asigno Posted January 14, 2019 Author Posted January 14, 2019 On 1/11/2019 at 9:22 AM, Ryan Ashbrook said: No - as Brandon mentioned, 2.2.4 is the last release of the 2.x series, and we cannot simply drop in jQuery 3, as that may require massive changes to the suite which we are not comfortable with doing this late in 4.4 development. I'm surprised that this wasn't taken onboard for 4.4. In fairness I wasn't insuinuating that you "simply drop in jQuery 3", but jQuery 3 was released almost 3 years ago, and my question was written 8 months ago following a hack using a known exploit in the 2.2.4 codebase.https://snyk.io/vuln/npm:jquery:20150627 Cross-site Scripting (XSS) Affecting jquery package, versions <3.0.0-beta1 >1.12.3 || <1.12.0 >=1.4.0 DISCLOSED 26 Jun, 2015 PUBLISHED 27 Nov, 2016
bfarber Posted January 14, 2019 Posted January 14, 2019 Quote Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed. This isn't a general exploit in jQuery itself - it's a security "hole" that is exposed when used in a specific manner, which we don't. We will update jQuery in due course. This security issue is not a concern at this time, however.
Joy Rex Posted January 14, 2019 Posted January 14, 2019 On 1/11/2019 at 11:25 AM, bfarber said: What benefits do you believe would be gained by dropping support for jQuery? One less library/dependency to keep up with and maintain Less assets loading (from CDN or otherwise) on client machines (at least initially) Faster DOM access with plain JS vs jQuery jQuery was created to address browser JS inconsistency - this is far less a concern in 2019 A lot of the shortcuts introduced by jQuery are now in standard JS jQuery 3 is years old now - if IPS updates to jQuery 3, jQuery's next major version could put us right back to where we are now (e.g., using an outdated version of jQuery) And there's more, and probably some cons to straight JS over jQuery - I suppose it depends on how heavily "invested" IPS is using jQuery, and your engineers' preferences and experience with jQuery vs plain JS. I'm a jQuery fan and love all the scripts and plugins people have made over the years, but there too you have more libraries to maintain and update. Also, there seems to be a trend nowadays to move from jQuery back to plain JS - how long before this trend is the standard? This site has an interesting take on the jQuery vs JS debate - and guides you through common use scenarios to suggest whether you need jQuery or not: http://youmightnotneedjquery.com/
Recommended Posts
Archived
This topic is now archived and is closed to further replies.