jQuery 1.9 uses deprecated jQuery functions such as andSelf() (see T71350). We should upgrade it to 1.11, the current version.
Description
Details
- Reference
- bz69386
Related Objects
Event Timeline
Lowering priority. jQuery UI 1.9 is considered an LTS, and upgrading to 1.10 or 1.11 will be a major and breaking change since until recently we were on jQuery UI 1.8, and 1.9 introduced a brand new API (keeping support for the UI 1.8 API, but 1.10 drops support for this). There's no reason for us to upgrade right now, and certainly before we've finished the previous migration cycle of jQuery core upgrade and MediaWiki JS deprecations.
(In reply to Ryan Kaldari from comment #0)
jQuery UI 1.9 uses deprecated jQuery functions such as andSelf() (see bug
69350).
This is somewhat incorrect. Though andSelf is indeed deprecated, there are no plans by jQuery to remove it. It isn't part of the rest of jQuery Migrate and was not removed in jQuery core 1.8. In fact it still exists in the latest jQuery 1.11 and jQuery 2.x and thus jQuery UI continues to use it so that they don't have to feature-test andSelf/addBack for old versions.
Please reconsider the priority of this.
JQuery UI 1.9 has not been updated since 2012. Where do you see it marked as "LTS"? It is not being maintained.
JQuery UI 1.9 also has security vulnerabilities that are only fixed in newer versions. Example: CVE-2010-5312
If anything, this task is going to be Declined and instead we'll go ahead with "Remove jQuery UI". But this is troubling.
The behaviour change in jQuery UI Dialog in v1.10 (the "title" constructor option now being "text" instead of "html") is hardly a security issue. It having been given a CVE id (CVE 2010-5312) seems a bit of an exaggeration.
It says in the jQuey UI 1.9 API Documentation that dialog/option-title takes any valid HTML string.
http://api.jqueryui.com/1.9/dialog/#option-title
It's only subject to html injection if a consumer (e.g. developer) passes it user input. Which as far I can see is not the case in our usage. And if we would, we'd naturally escape it first (for it is interpreted as html).
@Krinkle: Is there a sufficient reason that this task is access restricted so people cannot find it and file duplicates like https://phabricator.wikimedia.org/T155503 ?
This task really should not be secret. @Krinkle Do you object to me making it public again? Does anyone else object?
I had yet another person on IRC asking about this task that they cannot access. Can someone please check if this can be made public? See T71386#824112.
The version of jQuery UI that we use is public in MediaWiki's Git repository, and also visible via the browser console at $.ui.version. This is not a secret.
From 3.0. Which was released a good 18 months after his comment.
Noting Timo's comment is from December 2014. That's 5.5 years ago. Of course it's potentially out of date now, though he's also technically correct that it still exists in jQuery 2.x, by the fact it was removed in 3.0
We still have andSelf() defined in the latest jQuery, courtesy of jQuery Migrate providing the neccecary compatibility alias.
Regardless of this, jQuery UI has been updated years ago not to use the deprecated methods see Git/jquery.ui/PATCHES.
I'm declining this for now as indeed we will not be upgrading jQuery UI. At this point jQuery UI 1.9 and 1.12 (latest, from 2016) are practically equally abandonware and we have nothing to gain by requiring gadget/extension authors to upgrade their code now when they could be upgrading to e.g. OOUI, Mustache, or plain javascript instead.
Does this mean that "JQMIGRATE: jQuery.fn.andSelf() is deprecated and removed, use jQuery.fn.addBack()" is in fact not a fatal error and doesn't break anything? This error happens when trying to start VFC on betacommons but doesn't occur on production Commons. If this error is not fatal there must be another reason VFC doesn't work on betacommons, so at least the andSelf thing can be ruled out?
Nothing in the warnings from from jQuery Migrate is a current fatal error; it's warning you of future fatal errors when we take jQuery Migrate away, which is not currently planned.