Feature #31196
closedUpdates jQuery to 2.2.4 and adds jQuery Migrate library
0%
Description
The current version of jQuery used in Redmine (1.11.1) is a couple of years old, and plagued with known security vulnerabilities and some that are not listed in CVE.
jQuery itself releases a plugin called jQuery Migrate to help with the transition.
The question is, is there any plan to upgrade jQuery?
Related issues
Updated by Philippe Bourjac over 5 years ago
Federico Vera wrote:
The current version of jQuery used in Redmine (1.11.1) is a couple of years old, and plagued with known security vulnerabilities and some that are not listed in CVE.
jQuery itself releases a plugin called jQuery Migrate to help with the transition.
The question is, is there any plan to upgrade jQuery?
Hello there,
I am interested in this subject too, as we are using redmine 4.0.3 and security services are putting some pressure on us because of this vulnerability (they are asking me to shut the redmine system down).
Any plan to migrate to latest jQuery version?
Regards,
Philippe
Updated by Marius BĂLTEANU over 5 years ago
- Tracker changed from Defect to Feature
- Assignee set to Marius BĂLTEANU
I've some work in progress on this topic.
Updated by Marius BĂLTEANU over 5 years ago
- Assignee deleted (
Marius BĂLTEANU)
Here is a patch (I cannot attached it here because of the size - please use the download option or access the patch directly using this link) that updates jQuery to version 2.2.4. Because we didn't check the entire JS code, I propose to use the jQuery Migrate library which will help us identifying all the issues that we need to fix before moving to next major version. I think it's safe to commit this as soon as possible and report the issues found by the library.
Hopefully, we can migrate to jQuery 3 or 4 (which is under development) in Redmine 4.2.0 or 5.0.0.
Updated by Marius BĂLTEANU over 5 years ago
- Related to Patch #31884: Fix JQMIGRATE: jQuery.fn.load() is deprecated added
Updated by Go MAEDA over 5 years ago
- Related to Defect #31870: Remove deprecated .zIndex() method added
Updated by Go MAEDA over 5 years ago
- Target version set to 4.1.0
Marius BALTEANU wrote:
I think it's safe to commit this as soon as possible and report the issues found by the library.
Setting the target version to 4.1.0. Thank you for working hard on this.
Updated by Go MAEDA over 5 years ago
- Subject changed from jQuery version in use is old and insecure to Updates jQuery to 2.2.4 and adds jQuery Migrate library
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
Committed the patch. Thank you.
Updated by Marius BĂLTEANU over 5 years ago
- Related to Patch #31894: Fix "jQuery.fn.attr('selected') might use property instead of attribute" added
Updated by Go MAEDA over 5 years ago
- Category changed from Security to Third-party libraries