Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jquery < 3.5.0 security vulnerabilities #30692

Closed
jcoyne opened this issue Apr 29, 2020 · 9 comments
Closed

Jquery < 3.5.0 security vulnerabilities #30692

jcoyne opened this issue Apr 29, 2020 · 9 comments
Labels
v4

Comments

@jcoyne
Copy link

jcoyne commented Apr 29, 2020

There are two security vulnerabilities reported with the version of jquery that bootstrap 4.4.1 requires

GHSA-jpcq-cgw6-v4j6
GHSA-gxr4-xjj5-5px2

This appears to be fixed by #30559, but i don't believe that's been released yet.
@lightning-dabbler
Copy link

I don't think it's been released either. I'm still getting

Cannot convert object to primitive value

error because of collapse.js on v4.4.1.
Are they waiting to release this in v4.4.2?

@XhmikosR
Copy link
Member

XhmikosR commented Apr 30, 2020
edited
Loading

It's not released yet, but you should wait for jQuery v3.5.1 because more libraries are probably broken.

We are wrapping up any v4.4.2 patches and I'll try to release v4.4.2 ASAP.

EDIT: correction, or rather be extra careful when updating to jQuery v3.5.0 due to the breaking change it has, which is fixed in their 3.x branch, but a patch release has not been released yet.

@dmetzner dmetzner mentioned this issue Apr 30, 2020
Closed
@XhmikosR XhmikosR pinned this issue Apr 30, 2020
@raveberry raveberry mentioned this issue Apr 30, 2020
Closed
@lorvent
Copy link

lorvent commented Apr 30, 2020

out of curiosity, this breaking change is only for jquery 3.x or for 1.x, 2.x too?

and will bootstrap 4.4.2 works with jquery 1 and 2 or no?

many thanks

@XhmikosR
Copy link
Member

Only v3.5.0 has this bug AFAICT. But they made some security fixes in the same version, which is why they need to release v3.5.1 ASAP.

That being said, one can stay on jQuery v3.4.1 if they value that they are not affected by the security fixes.

As for older versions of jQuery, we actively test v1.9.1 and 3.4.1 and both work fine for Bootstrap v4.4.1. Bootstrap v4.4.2 which has the fix from our side will also work with jQuery v3.5.0.

But I really hope they release a new patch version too soon.

alex-wdmg added a commit to wdmg/yii2-admin that referenced this issue Apr 30, 2020
@alex-wdmg
Downgrade jQuery from v3.5.0 to v3.4.1
7291976 
jquery/jquery#4665, twbs/bootstrap#30692
This was referenced May 1, 2020
Closed
Closed
This was referenced May 3, 2020
Closed
Closed
Closed
@XhmikosR XhmikosR mentioned this issue May 3, 2020
Merged
3 tasks
awead added a commit to psu-libraries/scholarsphere that referenced this issue May 4, 2020
@awead
Revert "Bump jquery from 3.4.1 to 3.5.0"
6a829b4 
This reverts commit 7d9c139.

The jQuery update breaks Bootstrap features such as the expand/collapse
of the catalog search facets.

Once Bootstrap is fixed, then we should be able to re-apply this patch.
See twbs/bootstrap#30692
@awead awead mentioned this issue May 4, 2020
Merged
@jorisvandenbossche jorisvandenbossche mentioned this issue May 4, 2020
Merged
@Gemorroj
Copy link

Gemorroj commented May 5, 2020
edited
Loading

jquery 3.5.1 was released https://blog.jquery.com/2020/05/04/jquery-3-5-1-released-fixing-a-regression/

@XhmikosR
Copy link
Member

XhmikosR commented May 5, 2020

jQuery v3.5.1 was released a few hours ago. This should work with Bootstrap 4.x fine.

I'm going to close the issue, although we do have a fix in our v4-dev branch but now it's irrelevant.

@XhmikosR XhmikosR closed this as completed May 5, 2020
@XhmikosR XhmikosR added the v4 label May 5, 2020
rschenk pushed a commit to psu-libraries/scholarsphere that referenced this issue May 5, 2020
@awead @rschenk
Revert "Bump jquery from 3.4.1 to 3.5.0"
faaf28a 
This reverts commit 7d9c139.

The jQuery update breaks Bootstrap features such as the expand/collapse
of the catalog search facets.

Once Bootstrap is fixed, then we should be able to re-apply this patch.
See twbs/bootstrap#30692
@sleepinzombie
Copy link

I tried using the v3.5.1 with Bootstrap v4.4.1 and collapse.js is now throwing another error : TypeError t.

Am I doing something wrong or the fix they released doesn't work?

@XhmikosR
Copy link
Member

XhmikosR commented May 6, 2020

You are doing something wrong.

@lightning-dabbler
Copy link

Hmm I'm not having this issue and the release works for me.

@blerner blerner mentioned this issue May 6, 2020
Closed
@XhmikosR XhmikosR unpinned this issue May 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
v4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jcoyne @XhmikosR @Gemorroj @lorvent @lightning-dabbler @sleepinzombie