WordPress.org

Make WordPress Core

Opened 18 months ago

Last modified 2 weeks ago

#37110 new task (blessed)

Update to jQuery 3.*

Reported by: jorbin Owned by:
Milestone: Future Release Priority: normal
Severity: critical Version:
Component: External Libraries Keywords: early has-patch needs-testing needs-dev-note needs-screenshots
Focuses: javascript Cc:

Description

jQuery 3.0 has been released. There are a number of breaking changes and the browser minimums have been updated, so we need to figure out how to handle the update as it won't be the normal straight forward update.

Attachments (4)

37110.diff (398.9 KB) - added by adamsilverstein 3 months ago.
37110.2.diff (494.1 KB) - added by adamsilverstein 3 months ago.
37110.3.diff (532.1 KB) - added by adamsilverstein 3 months ago.
37110.4.diff (189.7 KB) - added by adamsilverstein 2 weeks ago.

Download all attachments as: .zip

Change History (34)

#1 @jorbin
18 months ago

For part of this, I think we should see if we can make changed to wp-admin can support both the 1.12 and 3.0 versions, which will make it easier to eventually switch. This would enable a plugin to provide 3.0 and make it easier for other plugins and themes to test jQuery 3.0. This piece may be worth doing as early as 4.5 (and can be split off to a separate ticket if we think it's worth it).

#2 follow-up: @ocean90
18 months ago

Previously: #24132

#3 in reply to: ↑ 2 @jorbin
18 months ago

Replying to ocean90:

Previously: #24132

The biggest difference between 2.0 and 3.0 and why I think the decision should be different is that 1.x and 2.x were both actively developed while 3.0 is the only actively developed version now. To quote the jQuery 3.0 release post "While the 1.12 and 2.2 branches will continue to receive critical support patches for a time, they will not get any new features or major revisions. jQuery 3.0 is the future of jQuery."

This ticket was mentioned in Slack in #core-customize by helen. View the logs.


15 months ago

#5 @ocean90
12 months ago

#39160 was marked as a duplicate.

#6 @ocean90
12 months ago

  • Summary changed from Update to jQuery 3.0 to Update to jQuery 3.*

#7 @bkerensa
12 months ago

Any chance someone will make a decision in this before 4.8? The benefits of the newer version of jQuery outweigh waiting on a security updates only version of the library.

#8 @Presskopp
8 months ago

FYI: jQuery 3.2.1 Is Now Available (2017-03-20)

#9 @westonruter
4 months ago

  • Keywords needs-patch added
  • Milestone changed from Future Release to 4.9

Is this something someone wants to own for 4.9?

It seems the jquery-migrate plugin has been updated to preserve pre-3.0 behaviors to eliminate or at least minimize breaking changes. Upgrading to jQuery 3.x would involve upgrading jquery-migrate, as well as potentially updating core usage of jQuery to make use of 3.x aspects once to lessen any notice that would be raised.

I'll milestone it to 4.9 for now, but it depends on a contributor to own it. Liable to punt to future release at any time.

#10 @westonruter
4 months ago

  • Keywords early added

In any case, it will need to be committed early in a release cycle to give it time to bake. That would mean in the next couple weeks.

#11 @adamsilverstein
3 months ago

  • Keywords has-patch needs-testing added; needs-patch removed

In 37110.diff:

  • Upgrade jQuery to 3.2.1, upgrade jquery-migrate to 3.0.0

#12 @jorbin
3 months ago

  • Keywords needs-devnote added

When this lands, it should be broadcast loudly.

We also need to remember that core jQuery is included on the frontend of sites and that those may not have dropped support for older versions of IE. If this goes in, we should make sure the themes team and plugins team are notified so that if they need to adjust requirements and recommendations, they can.

We may also want to keep the older version as jquery-legacy or some other similar name to assist plugins/themes that can't upgrade due to browser support requirements.

#13 @adamsilverstein
3 months ago

When this lands, it should be broadcast loudly.

Absolutely!

We may also want to keep the older version as jquery-legacy or some other similar name to assist plugins/themes that can't upgrade due to browser support requirements.

Not sure about this - I wonder how many plugins/themes really need this? What about maintaining the additional file and the increase in the overall package size? How long do we keep it around?

In case we do decide to keep it, here is a patch: 37110.2.diff:

  • include current jQuery 1.12.4 with 'jquery-legacy' handle.

#14 @adamsilverstein
3 months ago

Note: Seeing some unit test failures that need addressing after this swap: https://travis-ci.org/adamsilverstein/wordpress-develop-fork/jobs/263633261

#15 @adamsilverstein
3 months ago

37110.3.diff passes tests and clears some warnings; still seeing many warnings and some items not working correctly in customizer that will require more investigation. We may want to upgrade jQuery UI at the same time, several of the warnings I fixed were JQuery UI modules.

Last edited 3 months ago by adamsilverstein (previous) (diff)

#16 @zakkath
3 months ago

Not sure about this - I wonder how many plugins/themes really need this? What about maintaining the additional file and the increase in the overall package size? How long do we keep it around?

In terms of a version, I would say probably start thinking about it for 6.0 at the very earliest. Government sites will still need to support old versions of IE (e.g. The Department of Ed's FAFSA site supports IE 7)

#17 @jorbin
3 months ago

Not sure about this - I wonder how many plugins/themes really need this? What about maintaining the additional file and the increase in the overall package size? How long do we keep it around?

If we are worried about package size, as long as we can a place that has the no-conflict by default version, there is precedence for loading from an external site (see: script.aculo.us. )

If we add it, I say we keep it forever.

An alternative could be a core recommended "oldQuery" plugin.

#18 @ocean90
7 weeks ago

  • Keywords needs-dev-note added; needs-devnote removed
  • Milestone changed from 4.9 to Future Release

Punting as we are entering beta.

#19 follow-up: @retlehs
7 weeks ago

Since it hasn't yet been mentioned in this ticket... the version of jQuery currently in WordPress core has an XSS vulnerability that is over 6 months old:

#20 in reply to: ↑ 19 ; follow-ups: @pento
7 weeks ago

Replying to retlehs:

That security issue was backported to the jQuery 1 branch (commit), and was released in jQuery 1.12.3. WordPress 4.5 included this update, added in [37164].

#21 in reply to: ↑ 20 @retlehs
7 weeks ago

Replying to pento:

That security issue was backported to the jQuery 1 branch (commit), and was released in jQuery 1.12.3. WordPress 4.5 included this update, added in [37164].

Whoops. Thank you.

#22 @westonruter
7 weeks ago

While waiting for this to land in core, there is a plugin (which I've not tested) which upgrades jQuery to 3.2.1 (the current version): https://wordpress.org/plugins/jquery-updater/

I suggest any additional changes made in 37110.3.diff be submitted to the GitHub project for wider testing (there are 40k+ active installs): https://github.com/Ramoonus/jQuery-Updater

This will get a very good base of users to test the jQuery upgrade in core.

#23 @Presskopp
7 weeks ago

@westonruter This plugin is a very basic one, most of it's functionality is 2 lines:

wp_deregister_script('jquery');
wp_enqueue_script('jquery', plugins_url('/js/jquery-3.2.1.min.js', __FILE__), false, '3.2.1');

So there's not much to test about it. 2c

#24 @westonruter
7 weeks ago

@Presskopp yes, so that's why I suggest additional improvements in 37110.3.diff be submitted as PRs. In either case, it provides a way to get users to test with jQuery 3 without forcing them to write a plugin.

#25 in reply to: ↑ 20 @onokazu
5 weeks ago

Replying to pento:

That security issue was backported to the jQuery 1 branch (commit), and was released in jQuery 1.12.3. WordPress 4.5 included this update, added in [37164].

That patch seems to have been reverted in jQuery 1.12.4, which is the version WP currently includes.
https://github.com/jquery/jquery/commit/cfe830eefdd7f1e7cb87e9841d1d732d6d99ffae

Also jQuery 1.x and 2.x are officially end of life and no longer receiving patches.
https://github.com/jquery/jquery.com/issues/162

Last edited 5 weeks ago by onokazu (previous) (diff)

#26 follow-up: @onokazu
3 weeks ago

Shouldn't this given a higher priority since basically the current version of WordPress (including 4.9 beta) contains an older version of a 3rd party library that has officially been unsupported by the vendor and containing an XSS vulnerability that will not be fixed.

It would also be great for plugin/theme developers since Bootstrap 4 will be requiring jQuery 3 and up.

#27 in reply to: ↑ 26 @bkerensa
3 weeks ago

  • Keywords needs-screenshots added
  • Severity changed from normal to critical

The answer is almost certainly yes but unfortunately WP continues to ship a library with a vulnerability instead of updating it.

Replying to onokazu:

Shouldn't this given a higher priority since basically the current version of WordPress (including 4.9 beta) contains an older version of a 3rd party library that has officially been unsupported by the vendor and containing an XSS vulnerability that will not be fixed.

It would also be great for plugin/theme developers since Bootstrap 4 will be requiring jQuery 3 and up.

This ticket was mentioned in Slack in #core by presskopp. View the logs.


3 weeks ago

#29 @galbaras
2 weeks ago

Looks like Google is considering WordPress "not best practice" for using a vulnerable library. Just tested my sites with Google Lighthouse and this was flagged and is likely affecting site ranking, albeit slightly.

The severity is "medium", by the way, which is rather scary.

#30 @adamsilverstein
2 weeks ago

37110.4.diff is a build of jQuery with the fix from https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc

All unit tests pass: https://travis-ci.org/adamsilverstein/wordpress-develop-fork/builds/299867300

Going to test this out locally, appreciate any additional testing.

Note: See TracTickets for help on using tickets.