update bundled jQuery to 3.x

[mmitch]

I've just found the Google Lighthouse plugin for Firefox and ran it against my blog which is already updated to Serendipity 2.3.4. The Lighthouse report mentions 2 medium security issues in the jQuery 1.12.4 that is bundled with Serendipity 2.3.4: the two red lines at https://snyk.io/vuln/npm:jquery?lh=1.12.4

As far as I can tell:

• jQuery 1.12.4 is the newest version of the 1.x branch
• both jQuery 1.x and 2.x don't receive any patches any more
• there is a jQuery migration tool from version 1.12.x to 3.0

I don't know much about JavaScript or jQuery – is an update or version switch relatively painless or would this mandate a rewrite of half of Serendipity's frontend?

(According to the contribution guidelines, I have contacted Garvin by email to check whether this is security relevant – his quick triage/response was: 1. the bugs in jQuery are more on the cosmetic side 2. updating jQuery might break plugins 3. I should go on to post this issue here on Github: [x] done :-)

[yellowled]

is an update or version switch relatively painless or would this mandate a rewrite of half of Serendipity's frontend?

I have to admit I haven't updated anything from s9y 1.x to newer versions in a long time. The issue is not so much s9y's frontend, but plugins (as Garvin mentions). Which, of course, is a matter of testing first and foremost.

• https://jquery.com/upgrade-guide/3.0/ lists all breaking changes
• We could of course bundle the migrate plugin for the time being in order to be able to upgrade quickly, but that does not spare us the testing.
• The 3.x migrate plugin clocks in at 8.8 KB minified, which is not that bad. However, it's an additional HTTP request.
• We would of course have to do a release anyway.

The most likely issue is probably third-party stuff breaking. Some outdated, unmaintained script that one of our plugins or themes uses. I'll try to gather information on which themes/plugins even use jQuery. (I don't think dropping jQuery altogether is an option.)

[yellowled]

Core themes that use jQuery

• clean-blog ✅
• next ✅
• default (I think, I'm not 100% sure)
• 2k11, including in the admin interface ✅
• bootstrap4 (but that should work with jQuery 3.x since bootstrap bundles that) ✅
• timeline ✅

The biggest potential issue I have seen here so far is a dependency on FitVids, which requires jQuery, in clean-blog, timeline and 2k11, which is a third-party script that hasn't been updated in a long time. Then there's of course our backend JS, which uses jQuery and also uses plugins that depend on jQuery.

It seems like no core plugin uses jQuery.

Additional plugins that require jQuery

• serendipity_event_cal ✅ (The plugin does not work well in backend or frontend, but that's not related to jQuery.)
• serendipity_event_commentedit 🚫 (see below)
• serendipity_event_emoticonchooser ✅
• serendipity_event_faq 🚫 (see #717)
• serendipity_event_freetag ✅
• serendipity_event_geshi ✅
• serendipity_event_guestbook 🚫 (see #718)
• serendipity_event_karma ✅
• serendipity_event_lightbox (that still bundles jQuery, which is probably deprecated) ✅
• serendipity_event_linktrimmer 🚫 (just installing it breaks the backend JS, see #719)
• serendipity_event_livecomment 🚫 (buttons are not inserted w/ jQuery 3, everything else seems to work)
• serendipity_event_osm ✅
• serendipity_event_podcast 🧐 (I can't really test this plugin, it's too complex/I know too little about it.)
• serendipity_event_realtimecomments ✅
• serendipity_event_social ✅
• serendipity_event_spamblock_bayes ✅ (@onli bayes only uses jQuery in the backend, right?)
• serendipity_event_staticpage ✅
• serendipity_event_template_editor ✅ (@onli would be great if you could double-check this; I don't really know the tpl editor – I think it works as it's supposed to …?)
• serendipity_event_usergallery 🚫 (see #722)

I have not yet looked at what they do, that's just the result of a quick grep.

[yellowled]

I have prepared upgrading to jQuery 3.4.1 and adding the migration plugin in a branch (see PR above). I don't know when I will be able to test this myself. If someone else can test this earlier, go right ahead of course.

[mmitch]

I've manually applied the PR to my productive Serendipity 2.3.4 blog and don't see any issues.

The JavaScript console shows only this and now further warnings on any page tested:

JQMIGRATE: jQuery 3.0.0+ REQUIRED                        jquery-migrate.js:2:561
JQMIGRATE: Migrate is installed, version 3.1.0           jquery-migrate.js:2:696

The Lighthouse security vulnerability test is now passed.

My test contains:

• my theme is based on Blue Streak/contest
• serendipity_event_geshi works
• serendipity_event_spamblock_bayes works (at least the admin interface, I did not receive a new comment yet)
• serendipity_event_staticpage works

I encountered some mixed content warnings in the admin interface and the spamblock bayes "empty trashcan" only seems to work on the current page, not all entries, but both of these things are propably unrelated to the jQuery upgrade.

I think I'll just let it run with the patch applied for now. If anybody wants to have a look: https://www.cgarbs.de/blog/

[yellowled]

Seems like I hit jackpot on the first extra plugin I tried. 😂

Using serendipity_event_commentedit with jQuery 3.5.0, jQuery migrate and (maybe that's the error?) PHP 7.3 gives me an empty page with a console error

GET https://s9y.ddev.site/archives/2-Big-Buck-Bunny.html net::ERR_CONTENT_DECODING_FAILED 200

@onli can you make any sense of this? Could commentedit be incompatible with newer jQuery versions?

[yellowled]

Well, to sum this up, I don't think we can currently merge this since it breaks some plugins. Plus, testing it revealed some potential issues within other plugins that prevented me from testing at all. On the plus side, I think most of these only use jQuery in the backend.

[surrim]

• serendipity_event_osm 🚫 (see #721)

This plugin don't need jQuery. jQuery is used for the dropdown description texts in the backend.