Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jQuery slim build reports "invalid version" #3624

Closed
topaxi opened this issue Oct 20, 2017 · 6 comments · Fixed by #3932
Closed

jQuery slim build reports "invalid version" #3624

topaxi opened this issue Oct 20, 2017 · 6 comments · Fixed by #3932
Assignees
@patrickhulce
Labels
bug P1
Milestone
Sprint Cinco: Nov...

Comments

@topaxi
Copy link

topaxi commented Oct 20, 2017
edited
Loading

I'm using the jQuery slim build on a website, lighthouse is reporting "invalid version", my guess is it parses some kind of semver like versions while the jQuery slim version looks like this:

3.2.1 -ajax,-ajax/jsonp,-ajax/load,-ajax/parseXML,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-event/ajax,-effects,-effects/Tween,-effects/animatedSelector
@patrickhulce
Copy link
Collaborator

patrickhulce commented Oct 20, 2017
edited by paulirish
Loading

Thanks for the report! Could you clarify what you mean by Lighthouse is reporting "invalid version"? Is there a specific audit that is failing or a fatal error? A copy of the report/json here or screenshot with test URL would be helpful here too if you have them.

@topaxi
Copy link
Author

topaxi commented Oct 20, 2017
edited
Loading

Under "Best Practices" - "Includes front-end JavaScript libraries with known security vulnerabilities":

best-practices

Test URL: https://sarahtherad.com/

@patrickhulce
Copy link
Collaborator

patrickhulce commented Oct 20, 2017
edited
Loading

Great thanks for sharing the URL @topaxi! I can reproduce.

@patrickhulce
Copy link
Collaborator

Indeed our bug, basically need to wrap

lighthouse/lighthouse-core/audits/dobetterweb/no-vulnerable-libraries.js

Line 69 in 76e51f3

if (semver.satisfies(lib.version, vuln.semver.vulnerable[0])) {
in try/catch

@paulirish
Copy link
Member

paulirish commented Nov 1, 2017
edited
Loading

we have two fixes here:

  1. apply a trycach so we dont fail so hard (as patrick's comment points out)
  2. js-library-detector lib correctly extracts the version in this case.

@topaxi can you report this upstream to js-library-detector? they should be trimming off anything separated by whitespace, IMO.

edit: sentry issue: https://sentry.io/google-lighthouse/lighthouse/issues/407623160/

@topaxi topaxi mentioned this issue Nov 2, 2017
Closed
@johnmichel
Copy link

johnmichel commented Nov 6, 2017
edited
Loading

@paulirish @topaxi This should be resolved in v4.3.0 via johnmichel/Library-Detector-for-Chrome#104, which was just published to both npm and the Chrome Web Store. Please let me know if you see any other strange behavior.

@paulirish paulirish added P1 and removed P3 labels Nov 27, 2017
@patrickhulce patrickhulce mentioned this issue Nov 28, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@patrickhulce patrickhulce

Labels
bug P1
Projects
None yet
Milestone
Sprint Cinco: November 28 - Dec 9
Development

Successfully merging a pull request may close this issue.

core(vulnerable-libs): add fix for recovering from bad versions GoogleChrome/lighthouse
4 participants
@johnmichel @paulirish @topaxi @patrickhulce