Project

General

Profile

Actions

Feature #31196

closed

Updates jQuery to 2.2.4 and adds jQuery Migrate library

Added by Federico Vera almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Third-party libraries
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

The current version of jQuery used in Redmine (1.11.1) is a couple of years old, and plagued with known security vulnerabilities and some that are not listed in CVE.

jQuery itself releases a plugin called jQuery Migrate to help with the transition.

The question is, is there any plan to upgrade jQuery?


Related issues

Related to Redmine - Patch #31884: Fix JQMIGRATE: jQuery.fn.load() is deprecatedClosedGo MAEDA

Actions
Related to Redmine - Defect #31870: Remove deprecated .zIndex() methodClosedGo MAEDA

Actions
Related to Redmine - Patch #31894: Fix "jQuery.fn.attr('selected') might use property instead of attribute"ClosedGo MAEDA

Actions
Actions #1

Updated by Federico Vera almost 5 years ago

Related issue: #30486

Actions #2

Updated by Philippe Bourjac almost 5 years ago

Federico Vera wrote:

The current version of jQuery used in Redmine (1.11.1) is a couple of years old, and plagued with known security vulnerabilities and some that are not listed in CVE.

jQuery itself releases a plugin called jQuery Migrate to help with the transition.

The question is, is there any plan to upgrade jQuery?

Hello there,

I am interested in this subject too, as we are using redmine 4.0.3 and security services are putting some pressure on us because of this vulnerability (they are asking me to shut the redmine system down).
Any plan to migrate to latest jQuery version?

Regards,
Philippe

Actions #3

Updated by Marius BĂLTEANU almost 5 years ago

  • Tracker changed from Defect to Feature
  • Assignee set to Marius BĂLTEANU

I've some work in progress on this topic.

Actions #4

Updated by Marius BĂLTEANU over 4 years ago

  • Assignee deleted (Marius BĂLTEANU)

Here is a patch (I cannot attached it here because of the size - please use the download option or access the patch directly using this link) that updates jQuery to version 2.2.4. Because we didn't check the entire JS code, I propose to use the jQuery Migrate library which will help us identifying all the issues that we need to fix before moving to next major version. I think it's safe to commit this as soon as possible and report the issues found by the library.

Hopefully, we can migrate to jQuery 3 or 4 (which is under development) in Redmine 4.2.0 or 5.0.0.

Actions #5

Updated by Marius BĂLTEANU over 4 years ago

  • Related to Patch #31884: Fix JQMIGRATE: jQuery.fn.load() is deprecated added
Actions #6

Updated by Go MAEDA over 4 years ago

  • Related to Defect #31870: Remove deprecated .zIndex() method added
Actions #7

Updated by Go MAEDA over 4 years ago

  • Target version set to 4.1.0

Marius BALTEANU wrote:

I think it's safe to commit this as soon as possible and report the issues found by the library.

Setting the target version to 4.1.0. Thank you for working hard on this.

Actions #8

Updated by Go MAEDA over 4 years ago

  • Subject changed from jQuery version in use is old and insecure to Updates jQuery to 2.2.4 and adds jQuery Migrate library
  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch. Thank you.

Actions #9

Updated by Marius BĂLTEANU over 4 years ago

  • Related to Patch #31894: Fix "jQuery.fn.attr('selected') might use property instead of attribute" added
Actions #10

Updated by Go MAEDA over 4 years ago

  • Category changed from Security to Third-party libraries
Actions

Also available in: Atom PDF