WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 12 days ago

#37110 new task (blessed)

Update to jQuery 3.*

Reported by: jorbin Owned by:
Milestone: Future Release Priority: normal
Severity: critical Version:
Component: External Libraries Keywords: early has-patch needs-testing needs-dev-note needs-screenshots needs-refresh
Focuses: javascript Cc:

Description

jQuery 3.0 has been released. There are a number of breaking changes and the browser minimums have been updated, so we need to figure out how to handle the update as it won't be the normal straight forward update.

Attachments (11)

37110.diff (398.9 KB) - added by adamsilverstein 2 years ago.
37110.2.diff (494.1 KB) - added by adamsilverstein 2 years ago.
37110.3.diff (532.1 KB) - added by adamsilverstein 2 years ago.
37110.4.diff (189.7 KB) - added by adamsilverstein 22 months ago.
37110.5.diff (370.5 KB) - added by adamsilverstein 16 months ago.
37110.6.diff (4.9 KB) - added by adamsilverstein 15 months ago.
37110.7.diff (14.2 KB) - added by adamsilverstein 15 months ago.
37110.8.diff (13.9 KB) - added by adamsilverstein 15 months ago.
37110.9.diff (4.3 KB) - added by adamsilverstein 15 months ago.
37110.10.diff (1.7 KB) - added by adamsilverstein 14 months ago.
37110.11.diff (7.5 KB) - added by westonruter 14 months ago.

Download all attachments as: .zip

Change History (87)

#1 @jorbin
3 years ago

For part of this, I think we should see if we can make changed to wp-admin can support both the 1.12 and 3.0 versions, which will make it easier to eventually switch. This would enable a plugin to provide 3.0 and make it easier for other plugins and themes to test jQuery 3.0. This piece may be worth doing as early as 4.5 (and can be split off to a separate ticket if we think it's worth it).

#2 follow-up: @ocean90
3 years ago

Previously: #24132

#3 in reply to: ↑ 2 @jorbin
3 years ago

Replying to ocean90:

Previously: #24132

The biggest difference between 2.0 and 3.0 and why I think the decision should be different is that 1.x and 2.x were both actively developed while 3.0 is the only actively developed version now. To quote the jQuery 3.0 release post "While the 1.12 and 2.2 branches will continue to receive critical support patches for a time, they will not get any new features or major revisions. jQuery 3.0 is the future of jQuery."

This ticket was mentioned in Slack in #core-customize by helen. View the logs.


3 years ago

#5 @ocean90
3 years ago

#39160 was marked as a duplicate.

#6 @ocean90
3 years ago

  • Summary changed from Update to jQuery 3.0 to Update to jQuery 3.*

#7 @bkerensa
3 years ago

Any chance someone will make a decision in this before 4.8? The benefits of the newer version of jQuery outweigh waiting on a security updates only version of the library.

#8 @Presskopp
2 years ago

FYI: jQuery 3.2.1 Is Now Available (2017-03-20)

#9 @westonruter
2 years ago

  • Keywords needs-patch added
  • Milestone changed from Future Release to 4.9

Is this something someone wants to own for 4.9?

It seems the jquery-migrate plugin has been updated to preserve pre-3.0 behaviors to eliminate or at least minimize breaking changes. Upgrading to jQuery 3.x would involve upgrading jquery-migrate, as well as potentially updating core usage of jQuery to make use of 3.x aspects once to lessen any notice that would be raised.

I'll milestone it to 4.9 for now, but it depends on a contributor to own it. Liable to punt to future release at any time.

#10 @westonruter
2 years ago

  • Keywords early added

In any case, it will need to be committed early in a release cycle to give it time to bake. That would mean in the next couple weeks.

#11 @adamsilverstein
2 years ago

  • Keywords has-patch needs-testing added; needs-patch removed

In 37110.diff:

  • Upgrade jQuery to 3.2.1, upgrade jquery-migrate to 3.0.0

#12 @jorbin
2 years ago

  • Keywords needs-devnote added

When this lands, it should be broadcast loudly.

We also need to remember that core jQuery is included on the frontend of sites and that those may not have dropped support for older versions of IE. If this goes in, we should make sure the themes team and plugins team are notified so that if they need to adjust requirements and recommendations, they can.

We may also want to keep the older version as jquery-legacy or some other similar name to assist plugins/themes that can't upgrade due to browser support requirements.

#13 @adamsilverstein
2 years ago

When this lands, it should be broadcast loudly.

Absolutely!

We may also want to keep the older version as jquery-legacy or some other similar name to assist plugins/themes that can't upgrade due to browser support requirements.

Not sure about this - I wonder how many plugins/themes really need this? What about maintaining the additional file and the increase in the overall package size? How long do we keep it around?

In case we do decide to keep it, here is a patch: 37110.2.diff:

  • include current jQuery 1.12.4 with 'jquery-legacy' handle.

#14 @adamsilverstein
2 years ago

Note: Seeing some unit test failures that need addressing after this swap: https://travis-ci.org/adamsilverstein/wordpress-develop-fork/jobs/263633261

#15 @adamsilverstein
2 years ago

37110.3.diff passes tests and clears some warnings; still seeing many warnings and some items not working correctly in customizer that will require more investigation. We may want to upgrade jQuery UI at the same time, several of the warnings I fixed were JQuery UI modules.

Last edited 2 years ago by adamsilverstein (previous) (diff)

#16 @zakkath
2 years ago

Not sure about this - I wonder how many plugins/themes really need this? What about maintaining the additional file and the increase in the overall package size? How long do we keep it around?

In terms of a version, I would say probably start thinking about it for 6.0 at the very earliest. Government sites will still need to support old versions of IE (e.g. The Department of Ed's FAFSA site supports IE 7)

#17 @jorbin
2 years ago

Not sure about this - I wonder how many plugins/themes really need this? What about maintaining the additional file and the increase in the overall package size? How long do we keep it around?

If we are worried about package size, as long as we can a place that has the no-conflict by default version, there is precedence for loading from an external site (see: script.aculo.us. )

If we add it, I say we keep it forever.

An alternative could be a core recommended "oldQuery" plugin.

#18 @ocean90
23 months ago

  • Keywords needs-dev-note added; needs-devnote removed
  • Milestone changed from 4.9 to Future Release

Punting as we are entering beta.

#19 follow-up: @retlehs
23 months ago

Since it hasn't yet been mentioned in this ticket... the version of jQuery currently in WordPress core has an XSS vulnerability that is over 6 months old:

#20 in reply to: ↑ 19 ; follow-ups: @pento
23 months ago

Replying to retlehs:

That security issue was backported to the jQuery 1 branch (commit), and was released in jQuery 1.12.3. WordPress 4.5 included this update, added in [37164].

#21 in reply to: ↑ 20 @retlehs
23 months ago

Replying to pento:

That security issue was backported to the jQuery 1 branch (commit), and was released in jQuery 1.12.3. WordPress 4.5 included this update, added in [37164].

Whoops. Thank you.

#22 @westonruter
23 months ago

While waiting for this to land in core, there is a plugin (which I've not tested) which upgrades jQuery to 3.2.1 (the current version): https://wordpress.org/plugins/jquery-updater/

I suggest any additional changes made in 37110.3.diff be submitted to the GitHub project for wider testing (there are 40k+ active installs): https://github.com/Ramoonus/jQuery-Updater

This will get a very good base of users to test the jQuery upgrade in core.

#23 @Presskopp
23 months ago

@westonruter This plugin is a very basic one, most of it's functionality is 2 lines:

wp_deregister_script('jquery');
wp_enqueue_script('jquery', plugins_url('/js/jquery-3.2.1.min.js', __FILE__), false, '3.2.1');

So there's not much to test about it. 2c

#24 @westonruter
23 months ago

@Presskopp yes, so that's why I suggest additional improvements in 37110.3.diff be submitted as PRs. In either case, it provides a way to get users to test with jQuery 3 without forcing them to write a plugin.

#25 in reply to: ↑ 20 @onokazu
22 months ago

Replying to pento:

That security issue was backported to the jQuery 1 branch (commit), and was released in jQuery 1.12.3. WordPress 4.5 included this update, added in [37164].

That patch seems to have been reverted in jQuery 1.12.4, which is the version WP currently includes.
https://github.com/jquery/jquery/commit/cfe830eefdd7f1e7cb87e9841d1d732d6d99ffae

Also jQuery 1.x and 2.x are officially end of life and no longer receiving patches.
https://github.com/jquery/jquery.com/issues/162

Last edited 22 months ago by onokazu (previous) (diff)

#26 follow-up: @onokazu
22 months ago

Shouldn't this given a higher priority since basically the current version of WordPress (including 4.9 beta) contains an older version of a 3rd party library that has officially been unsupported by the vendor and containing an XSS vulnerability that will not be fixed.

It would also be great for plugin/theme developers since Bootstrap 4 will be requiring jQuery 3 and up.

#27 in reply to: ↑ 26 @bkerensa
22 months ago

  • Keywords needs-screenshots added
  • Severity changed from normal to critical

The answer is almost certainly yes but unfortunately WP continues to ship a library with a vulnerability instead of updating it.

Replying to onokazu:

Shouldn't this given a higher priority since basically the current version of WordPress (including 4.9 beta) contains an older version of a 3rd party library that has officially been unsupported by the vendor and containing an XSS vulnerability that will not be fixed.

It would also be great for plugin/theme developers since Bootstrap 4 will be requiring jQuery 3 and up.

This ticket was mentioned in Slack in #core by presskopp. View the logs.


22 months ago

#29 @galbaras
22 months ago

Looks like Google is considering WordPress "not best practice" for using a vulnerable library. Just tested my sites with Google Lighthouse and this was flagged and is likely affecting site ranking, albeit slightly.

The severity is "medium", by the way, which is rather scary.

#30 follow-up: @adamsilverstein
22 months ago

37110.4.diff is a build of jQuery with the fix from https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc

All unit tests pass: https://travis-ci.org/adamsilverstein/wordpress-develop-fork/builds/299867300

Going to test this out locally, appreciate any additional testing.

This ticket was mentioned in Slack in #themereview by poena. View the logs.


18 months ago

#33 follow-up: @bigcloudmedia
17 months ago

I have clients for whom PCI DSS compliance is a requirement, and in their most recent scan they got flagged for the jQuery library in WP Core, with the instruction to upgrade to 3.0.0 or higher, in order to fix CVE 2015-9251 and CVE 2016-10707. Is there any way to fast track this change so that other people with similar requirements don't get stuck?

#34 in reply to: ↑ 33 @zakkath
17 months ago

Replying to bigcloudmedia:

I have clients for whom PCI DSS compliance is a requirement, and in their most recent scan they got flagged for the jQuery library in WP Core, with the instruction to upgrade to 3.0.0 or higher, in order to fix CVE 2015-9251 and CVE 2016-10707. Is there any way to fast track this change so that other people with similar requirements don't get stuck?

You might want to implement a plugin that de-registers jquery in WordPress and re-registers it either with a CDN copy of jQuery v3.x or include a copy with the plugin. That will get them compliant in that regard ASAP.

It is odd to note that there does not seem to be much movement on this issue. @adamsilverstein put out a patch for testing and that was the last thing... 4 months ago.

#35 @adamsilverstein
17 months ago

#43694 was marked as a duplicate.

#36 @dmethvin
17 months ago

Where can the jQuery core team help with this? Are there things in Wordpress core that require the older jQuery and/or jQuery Migrate? If so can we help with those changes or with testing? Ideally Wordpress would be on jQuery 3+ and not need the Migrate plugin because it introduces behavior that isn't the norm for the version of jQuery being used.

#37 @adamsilverstein
17 months ago

@dmethvin Thanks for your offer of help. The biggest thing we can use help with is testing and explaining the changes to developers.

I think the biggest concern preventing this from landing is maintaining backwards compatibility, especially since jQuery is often enqueued on the front end as @jorbin pointed out. Nevertheless, WordPress 5.0 will already be our biggest breaking change ever, and updating jQuery at the same time makes sense to me. I'm going to refresh this patch with the latest version of jQuery and hopefully land this soon in trunk.

#38 @adamsilverstein
16 months ago

37110.5.diff includes the latest jquery and jquery migrate (plus other changes from 37110.3.diff - some tests are failing, I'll work on getting those fixed.

Last edited 16 months ago by adamsilverstein (previous) (diff)

This ticket was mentioned in Slack in #core-js by adamsilverstein. View the logs.


16 months ago

This ticket was mentioned in Slack in #core-js by adamsilverstein. View the logs.


15 months ago

#41 @adamsilverstein
15 months ago

37110.5.diff - update jquery & jquery ui versions in packages.json since we now have a build process for these files

This ticket was mentioned in Slack in #core-js by adamsilverstein. View the logs.


15 months ago

#43 @LittleBigThing
15 months ago

Hi Adam,

I think that

wp.customize.on( 'ready', function() {

in customize-controls.js should be

$(wp.customize).ready( function() {

The .on( "ready", fn) seems to have been removed from jQuery 3.0: https://jquery.com/upgrade-guide/3.0/#breaking-change-on-quot-ready-quot-fn-removed

#44 @LittleBigThing
15 months ago

Also, you don't need to change it in src/wp-admin/includes/class-wp-internal-pointers.php on line 140

#46 in reply to: ↑ 45 @netweb
15 months ago

Replying to adamsilverstein:

in 37110.9.diff i started from scratch - three tests are still failing; see https://travis-ci.org/adamsilverstein/wordpress-develop-fork/jobs/392319225

I didn't get any QUnit errors testing 37110.9.diff locally.

#47 @adamsilverstein
14 months ago

37110.10.diff includes only the upgrade on jquery and jquery migrate. after installing this patch (and running npm install && npm build), the only notable failure is the customizer menus section, which fails to properly load the 'add new' panel.

### Steps to reproduce

  • open customizer->menus->add new
  • note that the panel opens but is blank, the fields to add the new menu are missing

other sections of the customizer work fine, adding menus on the regular screen works fine. other customizer sections work fine. I do see some qunit test failing as well: https://travis-ci.org/adamsilverstein/wordpress-develop-fork/jobs/393334653

i have spent many hours trying to track down what is failing to initialize but have yet to discover the underlying cause. given jquery migrate, i would have expected warnings but no errors/failures. I do see many migrate warnings and have handled these in another branch, but none of these changes fixed the menus issue.

My hunch is that the failure is due to changes in the way jQuery implements Promises and the ready event, although there are numerous breaking changes I have searched thru the codebase for usagees without any success: https://jquery.com/upgrade-guide/3.0/#breaking-change-document-ready-handlers-are-now-asynchronous

@westonruter when you have a chance, can you test this patch out and see if anything pops out as a possible cause for the issue? Thanks in advance!

This ticket was mentioned in Slack in #core-js by adamsilverstein. View the logs.


14 months ago

#49 @westonruter
14 months ago

What little progress I may have made is in 37110.11.diff:

  • Update versions in script-loader.php
  • Introduce wp.customize.ready() for providing an interface to boot the controls logic at DOMContentLoaded.
  • Switch from jQuery(window).load() to jQuery(window).on('load') in tests.

The issue with nav menus is not fixed still. Also, there are 4 failing QUnit assertions still, including tests for:

  • Dynamically-created Customizer Control Model: Associating a control with a section allows it to be embedded
  • Customize Sections: wp.customize.OuterSection: Test OuterSection
  • Customize Nav Menus: changing a MenuNameControl change the corresponding menu value

#50 @adamsilverstein
14 months ago

Thanks for giving it a pass @westonruter!

#51 in reply to: ↑ 30 @markgoho
14 months ago

Replying to adamsilverstein:

37110.4.diff is a build of jQuery with the fix from https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc

All unit tests pass: https://travis-ci.org/adamsilverstein/wordpress-develop-fork/builds/299867300

Going to test this out locally, appreciate any additional testing.

Adam, is this in the current 4.x build of Wordpress or is this something for 5.0?

Last edited 14 months ago by markgoho (previous) (diff)

#52 follow-up: @Presskopp
14 months ago

@markgoho Milestone is 'Future Release' - smells like 5.0

#53 in reply to: ↑ 52 @markgoho
14 months ago

Replying to Presskopp:

@markgoho Milestone is 'Future Release' - smells like 5.0

Ahh good call, I was having trouble figuring out where this patch had been applied.

So, to summarize: 4.x is still shipping with the insecure version of jQuery.

#54 @dmethvin
14 months ago

@adamsilverstein @westonruter Sorry I haven't checked in for a while but I'd love to help you track this down. What's the fastest way to test this, assuming I don't have a local Wordpress setup right now?

#55 follow-up: @adamsilverstein
14 months ago

@dmethvin Thank you for your interest in contributing here.

At this point since we haven't merged to core you need to get a setup locally that lets you apply the latest patch uploaded to this ticket.

This is hopefully still a good place to start: https://developer.wordpress.org/themes/getting-started/setting-up-a-development-environment/ and I also know products like "Local by Flywheel" aim to make spinning up local WordPress installs painless.

Once you have a local setup, here are some instructions on testing a patch: https://make.wordpress.org/core/handbook/testing/patch/

Let me know if you have any trouble or further questions.

#56 @adamsilverstein
14 months ago

@markgoho -

To summarize, we are still working on getting WordPress ready for jQuery 3 - ensuring the upgrade doesn't break core and also letting developers know how to upgrade their own code - help greatly appreciated!

#57 in reply to: ↑ 55 ; follow-up: @dmethvin
13 months ago

Hey Adam, I've had no problems getting the production WordPress 4.9.7 installed, but cloning the dev repo at https://develop.svn.wordpress.org/ has taken more than 24 hours via git svn and from what I could gather from the docs this was the first step. Is there a better way to get a testing env set up? I got stuck on https://make.wordpress.org/core/handbook/testing/beta/ . This is on Windows BTW.

#58 @DavidAnderson
13 months ago

@dmethvin If you're just wanting to test out a patch (rather than wanting to set up a Git repo with full history that tracks the SVN repo), then you should just do an ordinary SVN checkout; or, download the nightly zip: https://wordpress.org/nightly-builds/wordpress-latest.zip

This ticket was mentioned in Slack in #forums by jcastaneda. View the logs.


12 months ago

#60 @daverobinsonpw
12 months ago

I appreciation that an an update to jquery 3 is challenging, especially when considering plugin support as well.
Given that. is it worth splitting out a separate ticket covering a mitigation for the exploit from https://github.com/jquery/jquery/issues/2432 and leave this one to cover the full query update.
It appears that @adamsilverstein has produced something for the mitigation in comment:30

FWIW this is the approach that was taken for Drupal 7 ( and backported to D6 via the lts program)

#61 @adamsilverstein
12 months ago

Wondering if it would be possible to ship the new versions of jQuery/UI on a new script handle? jquery3?

then continue by getting the default themes to use the new version if they use jQuery. Then we can patch the older version and continue using it in wp-admin until we can upgrade or deprecate its use entirely. What happens when a page enqueues old and new versions or how do we handle that?

#62 in reply to: ↑ 57 @iandunn
12 months ago

Replying to dmethvin:

cloning the dev repo [...] has taken more than 24 hours via git svn

I'm guessing you've worked around that by now, but for anyone else who runs into the same problem, the best way is probably to use the Git mirror directly:

git clone git://develop.git.wordpress.org/

...or the unsupported GitHub mirrror at https://github.com/WordPress/wordpress-develop

If you prefer git-svn, though, then the log-window-size param will speed things up a lot:

git svn clone https://develop.svn.wordpress.org/ --log-window-size=50000

It's still fairly slow, though, that's just the nature of git svn clone.

#63 @Clorith
11 months ago

#45015 was marked as a duplicate.

#64 @remzicavdar
10 months ago

Guys, if we upgrade to jQuery 3, we should also do this in the footer or in the header with defer.
Using document ready is necessary for this in your scripts. See my error report: https://core.trac.wordpress.org/ticket/45130

//I don't know what the difference is between jQuery.noConflict(); and $.noConflict();


jQuery(function( $ ) {
   // $ Works! You can test it with next line if you like
   // console.log($);
});

See: https://api.jquery.com/ready/ and https://api.jquery.com/jquery.noconflict/

Edit: I made a WP plugin to deal with these problems in the short term: https://wordpress.org/plugins/jquery-manager/ and GitHub repo: https://github.com/Remzi1993/jquery-manager

Last edited 8 weeks ago by remzicavdar (previous) (diff)

#65 @swissspidy
10 months ago

#45310 was marked as a duplicate.

#66 @chriscct7
7 months ago

#45953 was marked as a duplicate.

This ticket was mentioned in Slack in #core-js by adamsilverstein. View the logs.


7 months ago

#68 @pento
7 months ago

#45953 was marked as a duplicate.

#69 @tw0flower
5 months ago

I have witnessed a malware in a jquery.js file a few days ago, on a website that uses Wordpress. The installation was up-to-date, on the 4.x branch. This malware is believed to have allowed the attacker to steal credit card and personal information.

The original attack vector, which allowed this malware to be here, probably wasn't JQuery. However, it shows us how damaging a hole in this library is : the attacker has access to everything the user does. Because it is loaded in every Wordpress page.

I understand this is not an easy fix, but I believe security should have priority over backward plugin compatibility.

This ticket was mentioned in Slack in #core by jorbin. View the logs.


5 months ago

This ticket was mentioned in Slack in #core by clorith. View the logs.


4 months ago

#73 @remzicavdar
7 weeks ago

Is this still being worked on? I mean don't get me wrong this ticket is already 3 years.
I'm just a little bit worried. I know there is lot to do, but it seems to me that this is a important switch, because officially jQuery 1.x and 2.x are not supported anymore.

EDIT:
I think if this needs to be implemented in a backward compatibel way. It could be done like the image below:
https://i.ibb.co/VS6FSR2/screenshot-1.png
https://i.ibb.co/4R2S0Nz/screenshot-2.png

Last edited 7 weeks ago by remzicavdar (previous) (diff)

#74 follow-up: @kevindaum
4 weeks ago

Trustwave, who certifies my PCI status, has been failing me for a few months now due to this old version of jquery:

jQuery Cross-Domain Asynchronous JavaScript and Extensible Markup Language Request Cross-site Scripting Vulnerability

https://www.evernote.com/l/AAE9aSM1l_1FTak5HMGPKnXFcC6kk4-Pl6I

#75 in reply to: ↑ 74 @bigcloudmedia
4 weeks ago

Replying to kevindaum:

Trustwave, who certifies my PCI status, has been failing me for a few months now due to this old version of jquery:

jQuery Cross-Domain Asynchronous JavaScript and Extensible Markup Language Request Cross-site Scripting Vulnerability

https://www.evernote.com/l/AAE9aSM1l_1FTak5HMGPKnXFcC6kk4-Pl6I

I've been dealing with similar issues from ControlScan. Here's a bit that fixes the XSS hole:

<?php
        function bcm_jquery_security_fix() {
                $js_path = str_replace('index.php', 'js', __FILE__);
                $js_url = str_replace( ABSPATH, get_bloginfo('url').'/', $js_path);
                
                wp_register_script(
                        'pci_security_fix',
                        $js_url.'/security_fix.js',
                        array('jquery')
                );
                
                wp_enqueue_script('bcm_enm_pci_security_fix');
        }
        
        add_action('wp_enqueue_scripts', 'bcm_jquery_security_fix');
// security_fix.js content

// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
        if ( s.crossDomain ) {
                s.contents.script = false;
        }
});

To finish appeasing the scanners I also had to use jQuery Updater (https://wordpress.org/plugins/jquery-updater/) and write a supplementary plugin that deregistered the jQuery UI components and re-registered the latest version of it:

<?php
        function bcm_jquery_updater() {
                if (!is_admin()) {
                        // Deregister UI jQuery
                        wp_deregister_script('jquery-ui-core');
                        wp_deregister_script('jquery-ui-widget');
                        wp_deregister_script('jquery-ui-mouse');
                        wp_deregister_script('jquery-ui-draggable');
                        wp_deregister_script('jquery-ui-slider');
                        wp_deregister_script('jquery-touch-punch');
                        wp_deregister_script('iris');
                        // Register
                        wp_enqueue_script('jquery-ui-core', plugins_url('/js/jquery-ui-1.12.1.min.js', __FILE__), false, '1.12.1');
                        wp_enqueue_script('iris', get_bloginfo('url').'/wp-admin/js/iris.min.js', 'jquery-ui-core');
                }
        }
        
        add_action('wp_enqueue_scripts', 'bcm_jquery_updater');

This ticket was mentioned in Slack in #core-js by adamsilverstein. View the logs.


12 days ago

Note: See TracTickets for help on using tickets.