Page MenuHomePhabricator
Create Task
Maniphest T71386

Upgrade jQuery UI from 1.9 to 1.11
Closed, DeclinedPublic
Actions

Description

jQuery 1.9 uses deprecated jQuery functions such as andSelf() (see T71350). We should upgrade it to 1.11, the current version.

Details

Reference
bz69386

Related Objects

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:37 AM
bzimport added projects: Future-Release, MediaWiki-JavaScript.
bzimport set Reference to bz69386.
bzimport added a subscriber: Unknown Object (MLST).
kaldari created this task.Aug 11 2014, 7:18 AM
kaldari added a comment.Aug 11 2014, 7:19 AM

That should say "jQuery UI 1.9...". Sorry.

Krinkle added a comment.Aug 25 2014, 12:03 PM

Lowering priority. jQuery UI 1.9 is considered an LTS, and upgrading to 1.10 or 1.11 will be a major and breaking change since until recently we were on jQuery UI 1.8, and 1.9 introduced a brand new API (keeping support for the UI 1.8 API, but 1.10 drops support for this). There's no reason for us to upgrade right now, and certainly before we've finished the previous migration cycle of jQuery core upgrade and MediaWiki JS deprecations.

(In reply to Ryan Kaldari from comment #0)

jQuery UI 1.9 uses deprecated jQuery functions such as andSelf() (see bug
69350).

This is somewhat incorrect. Though andSelf is indeed deprecated, there are no plans by jQuery to remove it. It isn't part of the rest of jQuery Migrate and was not removed in jQuery core 1.8. In fact it still exists in the latest jQuery 1.11 and jQuery 2.x and thus jQuery UI continues to use it so that they don't have to feature-test andSelf/addBack for old versions.

Krinkle removed a project: Future-Release.Nov 25 2014, 9:13 PM
Xandell subscribed.Nov 28 2014, 7:05 PM

Please reconsider the priority of this.

JQuery UI 1.9 has not been updated since 2012. Where do you see it marked as "LTS"? It is not being maintained.

JQuery UI 1.9 also has security vulnerabilities that are only fixed in newer versions. Example: CVE-2010-5312

Jdforrester-WMF added a comment.Nov 29 2014, 5:37 PM
In T71386#793652, @Xandell wrote:

Please reconsider the priority of this.

JQuery UI 1.9 has not been updated since 2012. Where do you see it marked as "LTS"? It is not being maintained.

JQuery UI 1.9 also has security vulnerabilities that are only fixed in newer versions. Example: CVE-2010-5312

If anything, this task is going to be Declined and instead we'll go ahead with "Remove jQuery UI". But this is troubling.

Krinkle raised the priority of this task from Low to Medium.Dec 8 2014, 12:01 AM
Krinkle updated the task description. (Show Details)
Krinkle added a project: acl*security.
Krinkle set Security to None.
Krinkle changed the visibility from "Public (No Login Required)" to "acl*security (Project)".
Krinkle changed the edit policy from "All Users" to "acl*security (Project)".
Krinkle removed a subscriber: Unknown Object (MLST).
Krinkle added a comment.Dec 8 2014, 12:10 AM

The behaviour change in jQuery UI Dialog in v1.10 (the "title" constructor option now being "text" instead of "html") is hardly a security issue. It having been given a CVE id (CVE 2010-5312) seems a bit of an exaggeration.

It says in the jQuey UI 1.9 API Documentation that dialog/option-title takes any valid HTML string.
http://api.jqueryui.com/1.9/dialog/#option-title

It's only subject to html injection if a consumer (e.g. developer) passes it user input. Which as far I can see is not the case in our usage. And if we would, we'd naturally escape it first (for it is interpreted as html).

matmarex edited projects, added MediaWiki-User-Interface, JavaScript; removed MediaWiki-JavaScript.Dec 31 2014, 12:28 AM
Krinkle merged a task: T102352: Upgrade jquery ui to 1.11.x.Feb 25 2016, 6:56 PM
Krinkle added subscribers: Ricordisamoa, Legoktm, Aklapper, Paladox.
Reedy raised the priority of this task from Medium to Needs Triage.Nov 7 2016, 8:53 PM
Reedy triaged this task as Medium priority.
Reedy moved this task from Backlog / Other to Other WMF team on the acl*security board.
Aklapper added a comment.Jan 18 2017, 12:06 AM

@Krinkle: Is there a sufficient reason that this task is access restricted so people cannot find it and file duplicates like https://phabricator.wikimedia.org/T155503 ?

Aklapper merged a task: T155503: Upgrade to jQuery UI 1.11.Jan 18 2017, 12:08 AM
Aklapper added subscribers: WMDE-Fisch, Tobi_WMDE_SW.
matmarex mentioned this in T155503: Upgrade to jQuery UI 1.11.Jan 19 2017, 12:07 PM
Jdforrester-WMF lowered the priority of this task from Medium to Lowest.Jan 19 2017, 10:54 PM
Jdforrester-WMF merged a task: T155503: Upgrade to jQuery UI 1.11.
Jdforrester-WMF added subscribers: Addshore, thiemowmde.

Per Timo's and my comments above.

Jdforrester-WMF changed the visibility from "acl*security (Project)" to "Custom Policy".Jan 19 2017, 11:23 PM

Adjusted security policy so that WMDE/etc. subscribers can see it.

Jdforrester-WMF changed the edit policy from "acl*security (Project)" to "Custom Policy".Jan 19 2017, 11:25 PM
Addshore added a comment.Jan 19 2017, 11:28 PM
In T71386#2954735, @Jdforrester-WMF wrote:

Adjusted security policy so that WMDE/etc. subscribers can see it.

Many thanks!

matmarex added a comment.Jan 28 2017, 6:17 AM

This task really should not be secret. @Krinkle Do you object to me making it public again? Does anyone else object?

matmarex added a subscriber: Nikerabbit.Jan 28 2017, 6:17 AM
Aklapper added a comment.Mar 18 2019, 9:05 PM

I had yet another person on IRC asking about this task that they cannot access. Can someone please check if this can be made public? See T71386#824112.

Krinkle changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 30 2019, 12:08 AM
Krinkle changed the edit policy from "Custom Policy" to "All Users".

The version of jQuery UI that we use is public in MediaWiki's Git repository, and also visible via the browser console at $.ui.version. This is not a secret.

Amorymeltzer awarded a token.Oct 17 2019, 10:34 AM
chasemp added a project: Security.Feb 10 2020, 11:01 PM
Krinkle unsubscribed.Feb 11 2020, 12:22 AM
jbolorinos-ctr subscribed.Feb 20 2020, 5:15 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
freephile subscribed.Jun 25 2020, 1:29 PM
AlexisJazz added subscribers: Krinkle, AlexisJazz.Jul 5 2020, 10:34 AM
In T71386#735153, @Krinkle wrote:

This is somewhat incorrect. Though andSelf is indeed deprecated, there are no plans by jQuery to remove it. It isn't part of the rest of jQuery Migrate and was not removed in jQuery core 1.8. In fact it still exists in the latest jQuery 1.11 and jQuery 2.x and thus jQuery UI continues to use it so that they don't have to feature-test andSelf/addBack for old versions.

It has been removed alright.

Demian subscribed.Jul 5 2020, 12:57 PM
Reedy added a comment.Jul 5 2020, 1:50 PM
In T71386#6279508, @AlexisJazz wrote:
In T71386#735153, @Krinkle wrote:

This is somewhat incorrect. Though andSelf is indeed deprecated, there are no plans by jQuery to remove it. It isn't part of the rest of jQuery Migrate and was not removed in jQuery core 1.8. In fact it still exists in the latest jQuery 1.11 and jQuery 2.x and thus jQuery UI continues to use it so that they don't have to feature-test andSelf/addBack for old versions.

It has been removed alright.

From 3.0. Which was released a good 18 months after his comment.

Noting Timo's comment is from December 2014. That's 5.5 years ago. Of course it's potentially out of date now, though he's also technically correct that it still exists in jQuery 2.x, by the fact it was removed in 3.0

Krinkle closed this task as Declined.Jul 5 2020, 2:47 PM
In T71386#6279508, @AlexisJazz wrote:
In T71386#735153, @Krinkle wrote:

This is somewhat incorrect. Though andSelf is indeed deprecated, there are no plans by jQuery to remove it. It isn't part of the rest of jQuery Migrate and was not removed in jQuery core 1.8. In fact it still exists in the latest jQuery 1.11 and jQuery 2.x and thus jQuery UI continues to use it so that they don't have to feature-test andSelf/addBack for old versions.

It has been removed alright.

We still have andSelf() defined in the latest jQuery, courtesy of jQuery Migrate providing the neccecary compatibility alias.

Regardless of this, jQuery UI has been updated years ago not to use the deprecated methods see Git/jquery.ui/PATCHES.

I'm declining this for now as indeed we will not be upgrading jQuery UI. At this point jQuery UI 1.9 and 1.12 (latest, from 2016) are practically equally abandonware and we have nothing to gain by requiring gadget/extension authors to upgrade their code now when they could be upgrading to e.g. OOUI, Mustache, or plain javascript instead.

Krinkle claimed this task.Jul 5 2020, 2:47 PM
Krinkle edited projects, added MediaWiki-ResourceLoader; removed MediaWiki-User-Interface.
Restricted Application added a project: Performance-Team. · View Herald TranscriptJul 5 2020, 2:47 PM
AlexisJazz added a comment.EditedJul 5 2020, 5:24 PM
In T71386#6279622, @Krinkle wrote:
In T71386#6279508, @AlexisJazz wrote:
In T71386#735153, @Krinkle wrote:

This is somewhat incorrect. Though andSelf is indeed deprecated, there are no plans by jQuery to remove it. It isn't part of the rest of jQuery Migrate and was not removed in jQuery core 1.8. In fact it still exists in the latest jQuery 1.11 and jQuery 2.x and thus jQuery UI continues to use it so that they don't have to feature-test andSelf/addBack for old versions.

It has been removed alright.

We still have andSelf() defined in the latest jQuery, courtesy of jQuery Migrate providing the neccecary compatibility alias.

Regardless of this, jQuery UI has been updated years ago not to use the deprecated methods see Git/jquery.ui/PATCHES.

I'm declining this for now as indeed we will not be upgrading jQuery UI. At this point jQuery UI 1.9 and 1.12 (latest, from 2016) are practically equally abandonware and we have nothing to gain by requiring gadget/extension authors to upgrade their code now when they could be upgrading to e.g. OOUI, Mustache, or plain javascript instead.

Does this mean that "JQMIGRATE: jQuery.fn.andSelf() is deprecated and removed, use jQuery.fn.addBack()" is in fact not a fatal error and doesn't break anything? This error happens when trying to start VFC on betacommons but doesn't occur on production Commons. If this error is not fatal there must be another reason VFC doesn't work on betacommons, so at least the andSelf thing can be ruled out?

Jdforrester-WMF added a comment.Jul 6 2020, 10:59 AM
In T71386#6279749, @AlexisJazz wrote:
In T71386#6279622, @Krinkle wrote:

I'm declining this for now as indeed we will not be upgrading jQuery UI. At this point jQuery UI 1.9 and 1.12 (latest, from 2016) are practically equally abandonware and we have nothing to gain by requiring gadget/extension authors to upgrade their code now when they could be upgrading to e.g. OOUI, Mustache, or plain javascript instead.

Does this mean that "JQMIGRATE: jQuery.fn.andSelf() is deprecated and removed, use jQuery.fn.addBack()" is in fact not a fatal error and doesn't break anything?

Nothing in the warnings from from jQuery Migrate is a current fatal error; it's warning you of future fatal errors when we take jQuery Migrate away, which is not currently planned.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL