Remove jQuery dependency

[technopagan]

My Javascript skills are beyond abysmal, but yet I think we should tackle the task of removing jQuery from Retromat.

JQuery 1.x and 2.x are officially EOL (jquery/jquery.com#162) and the version that is currently on Retromat (1.7.2) has two known vulnarabilities: https://snyk.io/test/npm/jQuery/1.7.2?severity=high&severity=medium&severity=low

Upgrading to 1.8, 2.x or the currently stable 3.x would take just as much effort as removing the jQuery dependency: Retromat uses only the most basic of jQuery functionalities, most of which should be easily achievable with vanilla JS thanks to the progress that has happened in ECMA5+6.

So I propose that we figure out how to rewrite the bits of jQuery Syntax into vanilla JS and thus remove jQuery. This would save bandwidth, save the last remaining 3rd-party calls to Google and probably even execute faster while removing the known exploits.

[fiddike]

Hi @technopagan , I understand the idea and the advantages. My JS knowledge is close to zero and I'm not sure I want to add this to my already long learning list. Also, there are two different issues: The XSS vulnerabilities and performance improvements:
Concerning XSS: If I had to take care of this alone, I would probably experiment with jquery 3 combined with jquery-migrate to see if I can get that working. I'd be totally happy about supporting a different strategy, but somebody else would need to take the lead on it.
Concerning performance: For me, personally, the next step towards better performance would be migrating some easier to migrate sites to U7. This way I'll learn about it and get ready to take on the retromat migration to U7, which will hopefully make a difference. Concerning taking jquery out for performance reasons: Same as above: I'd totally happy about to support this, but somebody else would need to take the lead.
@findingmarbles Do you have any experience with upgrading or removing jquery from other projects? Any idea / opinion on how to proceed?

[devtop]

I don't see any possible vector for XSS at Retromat, since there isn't any unreviewed user content on the site.

I am also wondering, if there actually are any noticable perfomance issues (above 100ms) with jQuery.

And if you would like to spare bandwidth or traffic, at the most activity.json should be divided into smaller parts, Even this is not vital. As long as the activities.json does not grow over 250kb.

Just my 2cents.

[fiddike]

Hmm, two guys called Tobias in the conversation, good thing we have nicknames 8-)

devtop: Thank you for your thoughts!
I'm still all for upgrading / removing jQuery, but it's good to know that the vulnerabilities can probably not be exploited in our case.

devtop: Another thing: Github shows commits pushed by you as related to this issue. Just realized it's some old commits from Corinna from before the time when we switched to web based editing of activities. Do you have any idea why github shows them as related to this issue?

[devtop]

GitHub lists the commits because of their commit message. This issue has the number 65. It is a github feature to reference an issue in a commit message by using hash # + number.

All concerned commit are made by @findingmarbles . She used #+65 reference the activity.

I updated my local repository by pulling it from frindingmarbles/Retromat on Friday, the 23rd, two weeks ago. Then I updated my repository at github by pushing my local repo.

My local repo was long time outdated. That is why the commits are pretty old.

Neat detail: I updated my local repository to see if I could support on this issue. But I am too far away from front end develeopment to help removing jQuery in any kind of way.

[fiddike]

@devtop Thank you, now I understand :-D