Feature #31196

Updates jQuery to 2.2.4 and adds jQuery Migrate library

Added by Federico Vera 4 months ago. Updated 4 days ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Security
Target version:4.1.0
Resolution:Fixed

Description

The current version of jQuery used in Redmine (1.11.1) is a couple of years old, and plagued with known security vulnerabilities and some that are not listed in CVE.

jQuery itself releases a plugin called jQuery Migrate to help with the transition.

The question is, is there any plan to upgrade jQuery?


Related issues

Related to Redmine - Patch #31884: Fix JQMIGRATE: jQuery.fn.load() is deprecated Closed
Related to Redmine - Defect #31870: jQuery / zIndex deprecated New
Related to Redmine - Patch #31894: Fix "jQuery.fn.attr('selected') might use property instea... Closed

Associated revisions

Revision 18363
Added by Go MAEDA 4 days ago

Updates jQuery to 2.2.4 and adds jQuery Migrate library to find APIs and features that have been or will be removed from jQuery core (#31196).

Patch by Marius BALTEANU.

Revision 18364
Added by Go MAEDA 4 days ago

Fix JQMIGRATE: jQuery.fn.load() is deprecated (#31884, #31196).

Patch by Marius BALTEANU.

Revision 18365
Added by Go MAEDA 4 days ago

Fix jQuery.fn.attr('selected') might use property instead of attribute (#31894, #31196).

Patch by Marius BALTEANU.

History

#1 Updated by Federico Vera 4 months ago

Related issue: #30486

#2 Updated by Philippe Bourjac 3 months ago

Federico Vera wrote:

The current version of jQuery used in Redmine (1.11.1) is a couple of years old, and plagued with known security vulnerabilities and some that are not listed in CVE.

jQuery itself releases a plugin called jQuery Migrate to help with the transition.

The question is, is there any plan to upgrade jQuery?

Hello there,

I am interested in this subject too, as we are using redmine 4.0.3 and security services are putting some pressure on us because of this vulnerability (they are asking me to shut the redmine system down).
Any plan to migrate to latest jQuery version?

Regards,
Philippe

#3 Updated by Marius BALTEANU 3 months ago

  • Tracker changed from Defect to Feature
  • Assignee set to Marius BALTEANU

I've some work in progress on this topic.

#4 Updated by Marius BALTEANU 5 days ago

  • Assignee deleted (Marius BALTEANU)

Here is a patch (I cannot attached it here because of the size - please use the download option or access the patch directly using this link) that updates jQuery to version 2.2.4. Because we didn't check the entire JS code, I propose to use the jQuery Migrate library which will help us identifying all the issues that we need to fix before moving to next major version. I think it's safe to commit this as soon as possible and report the issues found by the library.

Hopefully, we can migrate to jQuery 3 or 4 (which is under development) in Redmine 4.2.0 or 5.0.0.

#5 Updated by Marius BALTEANU 5 days ago

  • Related to Patch #31884: Fix JQMIGRATE: jQuery.fn.load() is deprecated added

#6 Updated by Go MAEDA 4 days ago

#7 Updated by Go MAEDA 4 days ago

  • Target version set to 4.1.0

Marius BALTEANU wrote:

I think it's safe to commit this as soon as possible and report the issues found by the library.

Setting the target version to 4.1.0. Thank you for working hard on this.

#8 Updated by Go MAEDA 4 days ago

  • Subject changed from jQuery version in use is old and insecure to Updates jQuery to 2.2.4 and adds jQuery Migrate library
  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch. Thank you.

#9 Updated by Marius BALTEANU 4 days ago

  • Related to Patch #31894: Fix "jQuery.fn.attr('selected') might use property instead of attribute" added

Also available in: Atom PDF