New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update frontend libraries like jquery #12961
Comments
Just FYI: MaterializeCSS is not compatible with jQuery 3+ in case it was planned to update to a newer jquery major version. |
@tsteur It seems like the fix has already been merged a year ago and will be released soon: But I wouldn't be surprised if a lot of other things stop working. |
@Findus23 that will be in MaterializeCSS 1.0 but we are likely not compatible with that version and may need to update a bit of code and plugins to make that work (to be tested). Just saying we may not be easily able to upgrade to that version and only as part of Matomo 4.0 as it may hard for plugins to keep them compatible with 0.X version and 1.X version of MaterializeCSS etc. But maybe it is not really an issue, it is just a matter of testing and see how much we need to change and what. Most of the logic is centralized so it might not be too bad. |
BTW: MaterializeCSS 1.0 just came out. |
Is there a chance that this issue will be resolved in the next version (3.12.0)? |
It's probably not something I will finish for 3.12, but someone else could finish the work I started. |
I'm not sure what exactly we're planning to upgrade? jQuery we likely can't update since Materialize is not compatible, and we very likely don't want to update Materialise to 1.0 as there are a lot of breaking changes AFAIK and plugins become incompatible and we would not be able to have plugins compatible with new and older versions of Matomo and be a lot of work to update them all if /where needed. This would be rather something for Matomo 4. |
While I’m normally the one to argue for updating everything, I have to agree here. Most libraries are outdated enough that it isn’t just a quick patch update. And updating everything at once with Matomo 4 makes it easier as things only have to be fixed once and allows enough testing to make sure everything works well.
But after that it might be worth it to stay up to date more regularly as applying minor updates is easier than falling too far behind.
Lukas
… Am 16.09.2019 um 22:39 schrieb Thomas Steur ***@***.***>:
I'm not sure what exactly we're planning to upgrade? jQuery we likely can't update since Materialize is not compatible, and we very likely don't want to update Materialise to 1.0 as there are a lot of breaking changes AFAIK and plugins become incompatible and we would not be able to have plugins compatible with new and older versions of Matomo and be a lot of work to update them all if /where needed. This would be rather something for Matomo 4.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Totally, only problem is really when they have major updates with breaking changes. In general the goal should be to update minor and patch releases of libs during a release. |
Finally closed in #16079, only library that needs to be dealt w/ is jqplot but that is too hard to do atm. |
I know this is a tedious task with no direct benefit, but the possibility of breaking some things.
But most JS libraries haven't been updated since Piwik 3 in 2016. And since then many things changed, new browsers appeared and security issues were found.
One of the largest that (kind of) affects Matomo is https://nodesecurity.io/advisories/328 which affects all jQuery versions <3.0.0
Simply said running
in Matomo executes the JavaScript at
http://sakurity.com/jqueryxss
.Thankfully @sgiehl had the great foresight 6 years ago when creating the ajaxhelper (in 9979315) to fallback to "json" as a format, so I think Matomo isn't affected.
But I still think that updating JS regularly will avoid possible future issues.
(The same can be said for composer dependencies, but thanks to the new npm audit command, checking for security issues in frontend libraries was easier)
Update: It seems like https://packagist.org/packages/roave/security-advisories is something similar for php dependencies
The text was updated successfully, but these errors were encountered: