We use jquery-ui for the datepicker, tooltips and some modals. Since the latest release has bugs in it and does not appear to be maintained, we should perhaps switch away from it to materialize.
Replacing the datepicker won't be easy. We currently show the datepickers in our periodselection inline. MaterializeCSS does not have an option to display a datepicker inline. That means we need to find some hackish solution to make that possible. Or we might need to rethink the whole period selector, and change it in a way that doesn't need inline date pickers.
Tried replacing the other date pickers, but actually they would have this issue https://github.com/Dogfalo/materialize/issues/6552
In Matomo for WordPress I wanted to load only the needed jquery-ui files but noticed we're actually using 17 components: https://github.com/matomo-org/wp-matomo/blob/develop/plugins/WordPress/WpAssetManager.php#L40-L57
Maybe some of those components rely on each other but there were definitely more components used by us than you think so replacing it wouldn't be trivial.
Are there are known jquery UI security issues in the latest version? WordPress is also using jquery-ui in https://github.com/WordPress/WordPress/tree/master/wp-includes/js/jquery/ui and there were no updates in 4 years or so. AFAIK WP does apply security patches to jquery (as they are using jquery 1) so there might be no security issues so far?
The latest security fix I could find in jquery-ui directly is https://github.com/jquery/jquery-ui/pull/1747
Seems a bit of development is still going on? https://github.com/jquery/jquery-ui/commits/master
Looks like the last release was in 2016: https://github.com/jquery/jquery-ui/releases. not sure what the ongoing development is.
FYI I just added this to 4.0 since that's when I created it. It doesn't need to be here.
If we don't do it in 4.0, I guess we should move it to the next major release, as removing JQuery UI might break the UI of some plugins, which shouldn't be done in a minor release imho
Are there are known jquery UI security issues in the latest version?
There are no published ones. But that of course doesn't mean there aren't any, maybe no one is looking in such an old library.
Development definitely has stopped quite a while ago: https://blog.jqueryui.com/2017/12/the-future-of-jquery-ui-and-jquery-mobile/
Bonus points: Jquery UI seems to be the single largest JS file embedded in the Matomo UI (66KB gzipped), so removing it might speed up the page load by quite a bit.