Make WordPress Core

Opened 4 years ago

Closed 3 years ago

#50242 closed defect (bug) (reported-upstream)

update jQuery version string in file to confirm not stock 1.12.4?

Reported by: optimizingmatters's profile OptimizingMatters Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: External Libraries Keywords:
Focuses: Cc:


This is a follow-up to #47020.

The security test at (which is now included in the tests) detects jQuery as vulnerable in spite of the security fixes having been backported and results in a big red F for security on the test page.

jQuery is now requested as "wp-includes/js/jquery/jquery.js?ver=1.12.4-wp" but the file itself does not have that "-wp" string appended in the version string, making it harder for tools not see this is not stock jQuery 1.12.4:

/*! jQuery v1.12.4 | (c) jQuery Foundation | | WordPress 2019-05-16 */

updating this into
/*! jQuery v1.12.4-wp | (c) jQuery Foundation | | WordPress 2019-05-16 */

could make it easier for tools such as Snyk to distinguish between patched and vulnerable version?

Change History (7)

#1 @OptimizingMatters
4 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Discussed this with Liran Tal at Snyk and they use which does not look at version strings in URL or comments, but uses jQuery's built in .jquery to retrieve the version string and then removes all non-digits except periods and the plus-sign.



into e.g.


in the minified jQuery code itself works, as the added plusses make the version not match 1.12.4, but I have no idea what the consequences could be as who knows what plugins have JS that checks the jQuery version before doing stuff? :-/

So this might become a wontfix I guess, unless someone sees a solution?

Last edited 4 years ago by OptimizingMatters (previous) (diff)

#2 @OptimizingMatters
4 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

Patrick Meenan on Twitter just announced the security test result will get hidden to avoid said jQuery vulnerability false positive, following up with

At ~40% of all websites, it would be REALLY nice to find a way to get it to work though.

Given the important of in the web performance optimization world, I fully agree and I will re-open this hoping this can be looked into despite the limitations described earlier.

#3 @peterwilsoncc
4 years ago


I've reached out to a member of the devrel team at Snyk. As other open-source CMS projects patched jQuery 1.12.4 in the same way WordPress did, if the issue can be resolved at a reporting level then it will result in fewer false positives.

I'll keep this open for now but potentially close it as reported-upstream once I hear back.

#4 @whyisjake
4 years ago

/cc @azaozz too.

#5 @OptimizingMatters
4 years ago

Current status; this has been discussed on Twitter yesterday and Snyk will now suppress warning of JS vulns. for WordPress.

This ticket was mentioned in Slack in #core by audrasjb. View the logs.

4 years ago

#7 @desrosj
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to reported-upstream
  • Status changed from reopened to closed

I think this can be closed out as it was addressed upstream.

Note: See TracTickets for help on using tickets.