@diosmosis opened this Issue on June 7th 2020 Member

We use jquery-ui for the datepicker, tooltips and some modals. Since the latest release has bugs in it and does not appear to be maintained, we should perhaps switch away from it to materialize.

@sgiehl commented on June 17th 2020 Member

Replacing the datepicker won't be easy. We currently show the datepickers in our periodselection inline. MaterializeCSS does not have an option to display a datepicker inline. That means we need to find some hackish solution to make that possible. Or we might need to rethink the whole period selector, and change it in a way that doesn't need inline date pickers.
Tried replacing the other date pickers, but actually they would have this issue https://github.com/Dogfalo/materialize/issues/6552

@tsteur commented on June 17th 2020 Member

In Matomo for WordPress I wanted to load only the needed jquery-ui files but noticed we're actually using 17 components: https://github.com/matomo-org/wp-matomo/blob/develop/plugins/WordPress/WpAssetManager.php#L40-L57

Maybe some of those components rely on each other but there were definitely more components used by us than you think so replacing it wouldn't be trivial.

Are there are known jquery UI security issues in the latest version? WordPress is also using jquery-ui in https://github.com/WordPress/WordPress/tree/master/wp-includes/js/jquery/ui and there were no updates in 4 years or so. AFAIK WP does apply security patches to jquery (as they are using jquery 1) so there might be no security issues so far?

The latest security fix I could find in jquery-ui directly is https://github.com/jquery/jquery-ui/pull/1747

Seems a bit of development is still going on? https://github.com/jquery/jquery-ui/commits/master

@diosmosis commented on June 18th 2020 Member

Looks like the last release was in 2016: https://github.com/jquery/jquery-ui/releases. not sure what the ongoing development is.

@diosmosis commented on June 18th 2020 Member

FYI I just added this to 4.0 since that's when I created it. It doesn't need to be here.

@sgiehl commented on June 18th 2020 Member

If we don't do it in 4.0, I guess we should move it to the next major release, as removing JQuery UI might break the UI of some plugins, which shouldn't be done in a minor release imho

@Findus23 commented on June 18th 2020 Member

Are there are known jquery UI security issues in the latest version?

There are no published ones. But that of course doesn't mean there aren't any, maybe no one is looking in such an old library.

Development definitely has stopped quite a while ago: https://blog.jqueryui.com/2017/12/the-future-of-jquery-ui-and-jquery-mobile/

@Findus23 commented on July 12th 2020 Member

Bonus points: Jquery UI seems to be the single largest JS file embedded in the Matomo UI (66KB gzipped), so removing it might speed up the page load by quite a bit.

Powered by GitHub Issue Mirror