yard icon indicating copy to clipboard operation
yard copied to clipboard

Published 20 hours ago verified publisher icon lsegal

Upgrade to jQuery 1.12.4, addressing security warning from GitHub

Open thomthom opened this issue 3 years ago • 8 comments

Description

We host our generated docs on GitHub via GitHub pages. Via GitHub's security warnings we started seeing this recent:

image

We can patch this on our end, but we figured it was better to try to patch upstream.

However, jQuery 1.9 removed a number of functions which caused rendering issues:

image

This PR upgrades jQuery to the latest 1.x version; 1.12.4 along with the jQuery Migration plugin. The migration plugin ensures that YARD renders correctly again.

This does add another HTTP request to be made. If that's a concern we could merge jQuery and the Migration plugin into a single file.

Related discussion:

https://github.com/lsegal/yard/pull/1298#issuecomment-713474485

Completed Tasks

  • [x] I have read the Contributing Guide.
  • [x] The pull request is complete (implemented / written).
  • [x] Git commits have been cleaned up (squash WIP / revert commits).
  • [x] I wrote tests and ran bundle exec rake locally (if code is attached to PR).

thomthom avatar Oct 21 '20 10:10 thomthom

Ah, I checked the issues list first, but I didn't check the open PRs. I see now that there is #1351 that also addresses this.

thomthom avatar Oct 21 '20 10:10 thomthom

Coverage Status

Coverage decreased (-0.02%) to 93.416% when pulling 2e093bf2e80dae8d6adaeb942058e08e0743d390 on thomthom:dev/jquery-upgrade into 2b16190ced212bdb948fb47568645b29590bdbcd on lsegal:main.

coveralls avatar Oct 21 '20 10:10 coveralls

@thomthom I actually like this as a solution that uses jquery-migrate to handle the deprecated APIs. Did you verify that all pages load correctly with this version?

lsegal avatar Oct 25 '20 00:10 lsegal

I didn't check the guide template. That is a template I haven't noticed before.

But for the default template it seemed to work well. I tested the front page (README) along with class/module pages, additional pages, search.

I've put the fix into our custom YARD template (https://github.com/SketchUp/sketchup-yard-template) and we'll soon be publishing with these fixes applied locally to our doc builds.

If you want, I can zip up a copy of the YARD doc output from that branch if you (or anyone else) wish to have a look for review.

Btw, does YARD itself use the guide template? Or any project you are aware of that uses it that can be easily tested?

thomthom avatar Oct 25 '20 13:10 thomthom

Here are builds of the YARD docs and the YARD guide using a build from this PR branch.

thomthom avatar Nov 02 '20 10:11 thomthom

Btw, I saw warning from YARD when building the guide, not sure if that's related to how in invoked the build?

C:\Users\Thomas\SourceTree\yard>ruby bin\yard --yardopts .yardopts_guide 
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
Files:         184
Modules:        49 (    7 undocumented)
Classes:       218 (   49 undocumented)
Constants:     101 (   41 undocumented)
Attributes:    189 (    0 undocumented)
Methods:       971 (  165 undocumented)
 82.85% documented

thomthom avatar Nov 02 '20 10:11 thomthom

Updating to 1.12.4 is nearly useless since 4 vulnerabilities will remain out of the 6 vulnerabilities present in 1.7.1.

I know it as already be downgraded (3.4.1 back to 1.7.1) because breaking changes were not taken into account https://github.com/lsegal/yard/pull/1298/files.

Dependabot security alerts are sent to many project using yard:

image

The only versions with zero vulnerabilities now are 3.5.x and 3.6.x.

noraj avatar Jul 23 '21 10:07 noraj

Thank you @thomthom for posting this PR. I used it as a reference as posted new PR for bumping jQuery to latest v3.6.0 without having to add jquery-migrate in https://github.com/lsegal/yard/pull/1397

Can you provide your feedback there?

trivikr avatar Aug 31 '21 22:08 trivikr