WordPress.org

Make WordPress Core

Opened 8 months ago

Closed 8 months ago

Last modified 8 months ago

#52647 closed defect (bug) (fixed)

Install jQuery via NPM.

Reported by: peterwilsoncc Owned by: SergeyBiryukov
Milestone: 5.7 Priority: normal
Severity: normal Version: 5.6
Component: External Libraries Keywords: commit dev-reviewed
Focuses: javascript Cc:

Description

In [45342] WordPress reintroduced a forked version of jQuery 1.12.4 in to the WordPress source files to backport an upstream security issue. See #47020.

In [49101] the forked version was replaced with an unmodified version of jQuery 3.5.1. See #50564

Now that WordPress no longer needs to fork jQuery, it would be good to move it back to NPM and add it as part of the build.

Also related: #37110, #51812

Attachments (2)

52647.diff (1.4 KB) - added by SergeyBiryukov 8 months ago.
52647.2.diff (381.3 KB) - added by SergeyBiryukov 8 months ago.

Download all attachments as: .zip

Change History (9)

#1 @SergeyBiryukov
8 months ago

  • Milestone changed from Awaiting Review to 5.8

#2 @SergeyBiryukov
8 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 50445:

External Libraries: Install jQuery via NPM.

Previously, jQuery 1.12.4 was added to the WordPress SVN repo in order to backport an upstream security patch from jQuery 3.4.0.

Now that WordPress includes an unmodified version of jQuery 3.5.1 and no longer needs to maintain a fork, it can be removed from the SVN repo and installed via NPM again as part of the build.

Follow-up to [45342], [49101].

Props peterwilsoncc, SergeyBiryukov.
Fixes #52647.

#3 follow-up: @desrosj
8 months ago

@SergeyBiryukov Is this worth backporting?

Because 5.7 will become the maintained branch, it would make updating easier should there be a security update upstream.

I don't believe this changes the actual source, just how the files are included.

#4 in reply to: ↑ 3 @SergeyBiryukov
8 months ago

  • Keywords commit dev-feedback added
  • Milestone changed from 5.8 to 5.7
  • Resolution fixed deleted
  • Status changed from closed to reopened

Replying to desrosj:

I don't believe this changes the actual source, just how the files are included.

Right. Yes, I think this can be backported to both 5.6 and 5.7 branches.

#5 @peterwilsoncc
8 months ago

  • Keywords dev-reviewed added; dev-feedback removed

LGTM for backport, testing notes:

  • applied patch to 5.7 branch
  • built and verified jQuery defined
  • cleaned a verified jQuery file removed
  • lack of jQuery in old files is dandy, not removed from build folder.

#6 @peterwilsoncc
8 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 50457:

External Libraries: Install jQuery via NPM.

Previously, jQuery 1.12.4 was added to the WordPress SVN repo in order to backport an upstream security patch from jQuery 3.4.0.

Now that WordPress includes an unmodified version of jQuery 3.5.1 and no longer needs to maintain a fork, it can be removed from the SVN repo and installed via NPM again as part of the build.

Follow-up to [45342], [49101].

Props peterwilsoncc, SergeyBiryukov.
Merges [50445] to the 5.7 branch.
Fixes #52647.

#7 @SergeyBiryukov
8 months ago

In 50459:

External Libraries: Install jQuery via NPM.

Previously, jQuery 1.12.4 was added to the WordPress SVN repo in order to backport an upstream security patch from jQuery 3.4.0.

Now that WordPress includes an unmodified version of jQuery 3.5.1 and no longer needs to maintain a fork, it can be removed from the SVN repo and installed via NPM again as part of the build.

Follow-up to [45342], [49101].

Props peterwilsoncc, SergeyBiryukov.
Merges [50445] to the 5.6 branch.
Fixes #52647.

Note: See TracTickets for help on using tickets.