[wp-trac] [WordPress Trac] #37110: Update to jQuery 3.*

WordPress Trac noreply at wordpress.org
Fri Feb 14 13:42:07 UTC 2020 

#37110: Update to jQuery 3.*
-------------------------------------------------+-------------------------
 Reporter:  jorbin                               |       Owner:  (none)
     Type:  task (blessed)                       |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  External Libraries                   |     Version:
 Severity:  critical                             |  Resolution:
 Keywords:  early has-patch needs-testing        |     Focuses:  javascript
  needs-dev-note needs-screenshots needs-        |
  refresh                                        |
-------------------------------------------------+-------------------------

Comment (by bigcloudmedia):

 Replying to [comment:90 galbaras]:
 > Maybe there is another direction here.
 >
 > As per the StackExchange page provided by @jacklinkers ,
 PageSpeed/Lighthouse look at Snyk.io for vulnerability advice.
 Unfortunately, https://snyk.io/test/npm/jquery/1.12.4 does list a couple
 of issues.
 >
 > However, if the version really is clean, as claimed on StackExchange,
 it's just a matter of letting Snyk.io know. If anyone reading this ticket
 feels confident enough about this, please contact them.

 Speaking from experience having had to deal with PCI certification for
 customers running WooCommerce stores, this issue is a *constant* thorn in
 our side.  The scanning vendors pick up that you have an old version
 installed, and sometimes they decide that they don't like your existing
 mitigation strategy anymore.

 The first couple times it came up I was able to point out that it's in
 WordPress Core, and that I had an inherent business need to be running
 WordPress, and was able to get a waiver for certification.

 When I last commented on this thread seven months ago I was working with
 the same scanning vendor, but they decided that simply needing to use
 WordPress was no longer an acceptable reason for having an old version of
 jQuery and forced me to deregister it from all places and re-register the
 latest version, then provide proof that there was no trace of the old
 version that was active.

 Seriously, this is becoming a **major** problem, and it's only getting
 worse the longer we take to rip the band-aid off.  If we can have freaking
 Gutenberg forced on us against our will (in spite of how it upends well-
 known and established workflows in WordPress), there's **no excuse** why
 this hasn't been done yet.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/37110#comment:91>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list