Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#52647 closed defect (bug) (fixed)

Install jQuery via NPM.

Reported by: peterwilsoncc's profile peterwilsoncc Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.7 Priority: normal
Severity: normal Version: 5.6
Component: External Libraries Keywords: commit dev-reviewed
Focuses: javascript Cc:

Description

In [45342] WordPress reintroduced a forked version of jQuery 1.12.4 in to the WordPress source files to backport an upstream security issue. See #47020.

In [49101] the forked version was replaced with an unmodified version of jQuery 3.5.1. See #50564

Now that WordPress no longer needs to fork jQuery, it would be good to move it back to NPM and add it as part of the build.

Also related: #37110, #51812

Attachments (2)

52647.diff (1.4 KB) - added by SergeyBiryukov 4 years ago.
52647.2.diff (381.3 KB) - added by SergeyBiryukov 4 years ago.

Download all attachments as: .zip

Change History (9)

@SergeyBiryukov
4 years ago

#1 @SergeyBiryukov
4 years ago

  • Milestone changed from Awaiting Review to 5.8

#2 @SergeyBiryukov
4 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 50445:

External Libraries: Install jQuery via NPM.

Previously, jQuery 1.12.4 was added to the WordPress SVN repo in order to backport an upstream security patch from jQuery 3.4.0.

Now that WordPress includes an unmodified version of jQuery 3.5.1 and no longer needs to maintain a fork, it can be removed from the SVN repo and installed via NPM again as part of the build.

Follow-up to [45342], [49101].

Props peterwilsoncc, SergeyBiryukov.
Fixes #52647.

#3 follow-up: @desrosj
4 years ago

@SergeyBiryukov Is this worth backporting?

Because 5.7 will become the maintained branch, it would make updating easier should there be a security update upstream.

I don't believe this changes the actual source, just how the files are included.

#4 in reply to: ↑ 3 @SergeyBiryukov
4 years ago

  • Keywords commit dev-feedback added
  • Milestone changed from 5.8 to 5.7
  • Resolution fixed deleted
  • Status changed from closed to reopened

Replying to desrosj:

I don't believe this changes the actual source, just how the files are included.

Right. Yes, I think this can be backported to both 5.6 and 5.7 branches.

#5 @peterwilsoncc
4 years ago

  • Keywords dev-reviewed added; dev-feedback removed

LGTM for backport, testing notes:

  • applied patch to 5.7 branch
  • built and verified jQuery defined
  • cleaned a verified jQuery file removed
  • lack of jQuery in old files is dandy, not removed from build folder.

#6 @peterwilsoncc
4 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 50457:

External Libraries: Install jQuery via NPM.

Previously, jQuery 1.12.4 was added to the WordPress SVN repo in order to backport an upstream security patch from jQuery 3.4.0.

Now that WordPress includes an unmodified version of jQuery 3.5.1 and no longer needs to maintain a fork, it can be removed from the SVN repo and installed via NPM again as part of the build.

Follow-up to [45342], [49101].

Props peterwilsoncc, SergeyBiryukov.
Merges [50445] to the 5.7 branch.
Fixes #52647.

#7 @SergeyBiryukov
4 years ago

In 50459:

External Libraries: Install jQuery via NPM.

Previously, jQuery 1.12.4 was added to the WordPress SVN repo in order to backport an upstream security patch from jQuery 3.4.0.

Now that WordPress includes an unmodified version of jQuery 3.5.1 and no longer needs to maintain a fork, it can be removed from the SVN repo and installed via NPM again as part of the build.

Follow-up to [45342], [49101].

Props peterwilsoncc, SergeyBiryukov.
Merges [50445] to the 5.6 branch.
Fixes #52647.

Note: See TracTickets for help on using tickets.