Issue using Frontend Toolkit after updating to jQuery 3.x

[eserkansozer]

When I upgraded to jQuery version 3, I started to get the following error in stop-scrolling-at-footer.js:

jquery.min.js:2 Uncaught TypeError: e.indexOf is not a function at w.fn.init.w.fn.load (jquery.min.js:2) at stop-scrolling-at-footer.js:136 at stop-scrolling-at-footer.js:138

Previous versions of jQuery did not cause this.

[NickColley]

Hello @eserkansozer !

We currently only have code that supports version jQuery 1.x.

jQuery version 3.x+ is two breaking releases ahead so the current code is very likely to not work with this version.

We have not updated to jQuery 3.x since it does not cover the browsers / devices as listed in the Service Manual (https://www.gov.uk/service-manual/technology/designing-for-different-browsers-and-devices#browsers-to-test-in)

I'm going to share this with the Frontend Community and also the GOV.UK Design System (who owns this 'product' at GDS), and we'll figure out the best way to move forwards.

In the meantime, my understanding about this vulnerability is that is related to jQuery's AJAX functionality, so if your service is not using this you may be okay.

For more info about this vulnerability see https://snyk.io/vuln/npm:jquery:20150627

[frankieroberto]

Now might be a good time to start removing the jQuery dependency instead?

[36degrees]

I am concerned we're going to go off on a bit of a tangent here that is not helpful to resolving the original issue. Can we start another issue if we want to discuss removing jQuery as a dependency?

@eserkansozer I think @nickcolley mostly covered it, but upgrading to jQuery 3 will cause issues for users of your service using older browsers. Assuming you're trying to upgrade in response to CVE-2015-9251, I would suggest instead remaining on jQuery 1.x and ensuring that any AJAX requests you are making specify dataType, which as I understand it effectively mitigates the issue.

[eserkansozer]

Thank you @nickcolley @36degrees . We don't have any cross-domain Ajax requests in our service right now therefore we are safe.

The initiation of this discussion was GitHub sending us a warning notification about the vulnerability (which is still valid as anybody may misuse jQuery 1.x Ajax functions in our service or others which include front-end-toolkit as package). Though the risk may be regarded as low and not GDS's responsibility IMHO.

I understand that GDS needs to support older browsers so upgrade is not possible.

[36degrees]

That all makes sense – are you happy for me to close this issue as resolved?

[eserkansozer]

Yes, thank you.

Serkan Sozer

-------- Original message -------- From: Oliver Byford notifications@github.com Date: 24/01/2018 11:24 (GMT+00:00) To: alphagov/govuk_frontend_toolkit govuk_frontend_toolkit@noreply.github.com Cc: Serkan Sozer eserkansozer@hotmail.com, Mention mention@noreply.github.com Subject: Re: [alphagov/govuk_frontend_toolkit] Issue using Frontend Toolkit after updating to jQuery 3.x (#443)

That all makes sense – are you happy for me to close this issue as resolved?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Falphagov%2Fgovuk_frontend_toolkit%2Fissues%2F443%23issuecomment-360101433&data=02%7C01%7C%7C2f23594b38494e4d8a6b08d5631d14c5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636523898904657247&sdata=1I92Qdn%2Bkl92s1SopJWjsZozP8aXKrbRUcE%2FpoyJUI0%3D&reserved=0, or mute the threadhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEVqz4U7J-h0EDlyucOEsgMWHp7jq3O_ks5tNxMAgaJpZM4RpoCW&data=02%7C01%7C%7C2f23594b38494e4d8a6b08d5631d14c5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636523898904657247&sdata=nHT9rrlECcIX3OSGr5UBxPTRLlm0yaHl0j%2Bf0h8a8dI%3D&reserved=0.