lfdebrux
commented
3 years ago I think in theory it would be good to remove jQuery from this repo altogether (and reduce our use of third-party libraries across the board), to reduce the amount of code user agents need to run.
Looking at our code I think it is only used in search.js and govuk-tech-docs.js, but in search it is doing quite a lot of heavy lifting. We also have other vendored code that currently relies on jQuery.
So in the interests of getting this issue closed quickly (and any security holes plugged), we should probably upgrade our vendored code ASAP.
It looks like @chao-xian and @ESKYoung had a go at this in https://github.com/alphagov/tech-docs-gem/pull/203 but eventually closed the PR... probably because we didn't get around to merging it in time? 😓 I will see about resurrecting that PR.
The jQuery version used in this library is
v1.12.4https://github.com/alphagov/tech-docs-gem/blob/master/lib/assets/javascripts/_vendor/jquery.js however this is vulnerable to a couple of issues https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/version_id-286372/Jquery-Jquery-1.12.4.htmlThis is showing as a problem our build pipeline.