[wp-trac] [WordPress Trac] #37110: Update to jQuery 3.*
WordPress Trac
noreply at wordpress.org
Sat Apr 25 16:20:50 UTC 2020
#37110: Update to jQuery 3.*
-------------------------------------------------+-------------------------
Reporter: jorbin | Owner: (none)
Type: task (blessed) | Status: new
Priority: normal | Milestone: Future
| Release
Component: External Libraries | Version:
Severity: critical | Resolution:
Keywords: early has-patch needs-testing | Focuses: javascript
needs-dev-note needs-screenshots needs- |
refresh |
-------------------------------------------------+-------------------------
Comment (by bigcloudmedia):
Replying to [comment:113 galbaras]:
> One point that may have been missed along the way: the WP version of
jQuery is safe, and loaded with `?ver=1.12.4-wp`, yet the security service
still identifies it as 1.12.4, because inside the file, that's still the
version number.
>
> If there is no major significance to the inline version number, why not
just change it and get rid of the security alert? Sure seems like a small,
easy change to me.
>
> Another way is to contribute the safe WP jQuery version back to jQuery
as version 1.12.5, and change the inline version and URL version, because
it will be official.
Speaking from direct experience with two different scanning companies in
the past year, it gets flagged because it's *not* safe—they test for the
known vulnerabilities directly and it comes back with known deficiencies
(old and new) in those versions. Changing the version number to try and
prevent it from getting flagged is no better than rolling the odometer
back so you can say, "See! Low mileage! No problem here!"
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37110#comment:114>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list