Closed Bug 851691 Opened 12 years ago Closed 12 years ago

Update Kuma to use jQuery 1.9.*

Categories

(developer.mozilla.org Graveyard :: General, defect, P2)

All
Other
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: basta, Unassigned)

Details

(Whiteboard: [specification][type:change])

What feature should be changed? Please provide the URL of the feature if possible. ================================================================================== https://github.com/mozilla/kuma/blob/master/media/js/jquery-1.4.2.min.js What problems would this solve? =============================== Updating would help free Kuma from 2010 and save it from potentially being eaten by langoliers Who would use this? =================== Everybody. What would users see? ===================== N/A What would users do? What would happen as a result? =================================================== 1.9 is faster and has security fixes. Is there anything else we should know? ====================================== Consider jquery.migrate.js and see what squawks.
Marking as security sensitive, and bringing in entire team for visibility.
Group: websites-security
Priority: -- → P1
An upgrade of jQuery or move to another framework is in the cards for our redesign. Since there's no timeframe for when this redesign arrives, I can see if we can upgrade sooner though. Not my call though, I'm but a man of the kanban board.
Here's my completely unprofessional recommendation: 1. Create a branch (jq-master) 2. Create a commit that updates jquery and adds jquery.migrate on the branch 3. Push the branch to stage/dev/whatever and write fixes for the broken stuff from there 4. Keep rebasing the branch against master to keep things unrotted We recently went through this with Marketplace and that was basically how we got things taken care of. I'd be happy to submit PRs against a branch for this.
Does/did Marketplace use django-waffle? Would be great to waffle the jquery version so we can just merge it to master and only enable it for dev's.
Priority: P1 → P2
(In reply to Luke Crouch [:groovecoder] from comment #4) > Does/did Marketplace use django-waffle? Would be great to waffle the jquery > version so we can just merge it to master and only enable it for dev's. I'd recommend not doing that. If you're landing fixes to migrate to jQuery 1.9 on master, your users are going to see JS errors (jQuery 1.9 removes things that jQuery 1.4 has). A great example: foo.live('click', function() {}) // Works in 1.4, errors in 1.9 foo.on('click', function() {}) // Works in 1.9, errors in 1.4 It wouldn't be possible to write a patch (without version sniffing or something equally tainted) that would leave things unbroken for users as well as for developers. The actual migration process is going to be painful if you plan on incrementally pushing out fixes: that's why I'm recommending having a separate branch.
What is the impact of the security issues fixed so we can put a security rating on this bug?
The major fixes involve XSS, but I wouldn't rule out XSRF issues (i.e.: jQuery potentially leaking CSRF tokens). I don't have easy access to all of the release notes for the many versions of jQuery that have been released in the past few years.
Upgrade to jQuery 1.9.1 is now into production.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.