Feature #31196

Updates jQuery to 2.2.4 and adds jQuery Migrate library

Added by Federico Vera 6 months ago. Updated about 1 month ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Third-party libraries
Target version:4.1.0
Resolution:Fixed

Description

The current version of jQuery used in Redmine (1.11.1) is a couple of years old, and plagued with known security vulnerabilities and some that are not listed in CVE.

jQuery itself releases a plugin called jQuery Migrate to help with the transition.

The question is, is there any plan to upgrade jQuery?


Related issues

Related to Redmine - Patch #31884: Fix JQMIGRATE: jQuery.fn.load() is deprecated Closed
Related to Redmine - Defect #31870: Remove deprecated .zIndex() method Closed
Related to Redmine - Patch #31894: Fix "jQuery.fn.attr('selected') might use property instea... Closed

Associated revisions

Revision 18363
Added by Go MAEDA 2 months ago

Updates jQuery to 2.2.4 and adds jQuery Migrate library to find APIs and features that have been or will be removed from jQuery core (#31196).

Patch by Marius BALTEANU.

Revision 18364
Added by Go MAEDA 2 months ago

Fix JQMIGRATE: jQuery.fn.load() is deprecated (#31884, #31196).

Patch by Marius BALTEANU.

Revision 18365
Added by Go MAEDA 2 months ago

Fix jQuery.fn.attr('selected') might use property instead of attribute (#31894, #31196).

Patch by Marius BALTEANU.

History

#1 Updated by Federico Vera 6 months ago

Related issue: #30486

#2 Updated by Philippe Bourjac 5 months ago

Federico Vera wrote:

The current version of jQuery used in Redmine (1.11.1) is a couple of years old, and plagued with known security vulnerabilities and some that are not listed in CVE.

jQuery itself releases a plugin called jQuery Migrate to help with the transition.

The question is, is there any plan to upgrade jQuery?

Hello there,

I am interested in this subject too, as we are using redmine 4.0.3 and security services are putting some pressure on us because of this vulnerability (they are asking me to shut the redmine system down).
Any plan to migrate to latest jQuery version?

Regards,
Philippe

#3 Updated by Marius BALTEANU 5 months ago

  • Tracker changed from Defect to Feature
  • Assignee set to Marius BALTEANU

I've some work in progress on this topic.

#4 Updated by Marius BALTEANU 2 months ago

  • Assignee deleted (Marius BALTEANU)

Here is a patch (I cannot attached it here because of the size - please use the download option or access the patch directly using this link) that updates jQuery to version 2.2.4. Because we didn't check the entire JS code, I propose to use the jQuery Migrate library which will help us identifying all the issues that we need to fix before moving to next major version. I think it's safe to commit this as soon as possible and report the issues found by the library.

Hopefully, we can migrate to jQuery 3 or 4 (which is under development) in Redmine 4.2.0 or 5.0.0.

#5 Updated by Marius BALTEANU 2 months ago

  • Related to Patch #31884: Fix JQMIGRATE: jQuery.fn.load() is deprecated added

#6 Updated by Go MAEDA 2 months ago

  • Related to Defect #31870: Remove deprecated .zIndex() method added

#7 Updated by Go MAEDA 2 months ago

  • Target version set to 4.1.0

Marius BALTEANU wrote:

I think it's safe to commit this as soon as possible and report the issues found by the library.

Setting the target version to 4.1.0. Thank you for working hard on this.

#8 Updated by Go MAEDA 2 months ago

  • Subject changed from jQuery version in use is old and insecure to Updates jQuery to 2.2.4 and adds jQuery Migrate library
  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch. Thank you.

#9 Updated by Marius BALTEANU 2 months ago

  • Related to Patch #31894: Fix "jQuery.fn.attr('selected') might use property instead of attribute" added

#10 Updated by Go MAEDA about 1 month ago

  • Category changed from Security to Third-party libraries

Also available in: Atom PDF