Closed
Bug 851691
Opened 12 years ago
Closed 12 years ago
Update Kuma to use jQuery 1.9.*
Categories
(developer.mozilla.org Graveyard :: General, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: basta, Unassigned)
Details
(Whiteboard: [specification][type:change])
What feature should be changed? Please provide the URL of the feature if possible.
==================================================================================
https://github.com/mozilla/kuma/blob/master/media/js/jquery-1.4.2.min.js
What problems would this solve?
===============================
Updating would help free Kuma from 2010 and save it from potentially being eaten by langoliers
Who would use this?
===================
Everybody.
What would users see?
=====================
N/A
What would users do? What would happen as a result?
===================================================
1.9 is faster and has security fixes.
Is there anything else we should know?
======================================
Consider jquery.migrate.js and see what squawks.
Comment 1•12 years ago
|
||
Marking as security sensitive, and bringing in entire team for visibility.
Group: websites-security
Priority: -- → P1
Comment 2•12 years ago
|
||
An upgrade of jQuery or move to another framework is in the cards for our redesign. Since there's no timeframe for when this redesign arrives, I can see if we can upgrade sooner though. Not my call though, I'm but a man of the kanban board.
Reporter | ||
Comment 3•12 years ago
|
||
Here's my completely unprofessional recommendation:
1. Create a branch (jq-master)
2. Create a commit that updates jquery and adds jquery.migrate on the branch
3. Push the branch to stage/dev/whatever and write fixes for the broken stuff from there
4. Keep rebasing the branch against master to keep things unrotted
We recently went through this with Marketplace and that was basically how we got things taken care of. I'd be happy to submit PRs against a branch for this.
Comment 4•12 years ago
|
||
Does/did Marketplace use django-waffle? Would be great to waffle the jquery version so we can just merge it to master and only enable it for dev's.
Updated•12 years ago
|
Priority: P1 → P2
Reporter | ||
Comment 5•12 years ago
|
||
(In reply to Luke Crouch [:groovecoder] from comment #4)
> Does/did Marketplace use django-waffle? Would be great to waffle the jquery
> version so we can just merge it to master and only enable it for dev's.
I'd recommend not doing that. If you're landing fixes to migrate to jQuery 1.9 on master, your users are going to see JS errors (jQuery 1.9 removes things that jQuery 1.4 has). A great example:
foo.live('click', function() {}) // Works in 1.4, errors in 1.9
foo.on('click', function() {}) // Works in 1.9, errors in 1.4
It wouldn't be possible to write a patch (without version sniffing or something equally tainted) that would leave things unbroken for users as well as for developers. The actual migration process is going to be painful if you plan on incrementally pushing out fixes: that's why I'm recommending having a separate branch.
Comment 6•12 years ago
|
||
What is the impact of the security issues fixed so we can put a security rating on this bug?
Reporter | ||
Comment 7•12 years ago
|
||
The major fixes involve XSS, but I wouldn't rule out XSRF issues (i.e.: jQuery potentially leaking CSRF tokens). I don't have easy access to all of the release notes for the many versions of jQuery that have been released in the past few years.
Comment 8•12 years ago
|
||
Upgrade to jQuery 1.9.1 is now into production.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 9•9 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Updated•5 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•