Unable to update jQuery reliably for users of the debugbar #14
Labels
question
Further information is requested
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
After d8c404d, users who use the old school
debugbardebugger can still use an updated jQuery, but it's not clear if this will mirror their production environment where there is (likely) no debugger. I am still investigating the state of this.If you need precise environment parity (always nice), you can use the legacy jQuery that is bundled and take a (IMO) small chance that you are actually vulnerable (and I can't vouch for this).
Here is the back story:
After receiving these scary looking alerts from Github's friendly sweepers, I looked into them. They didn't seem likely to leave deployments of the theme vulnerable. I still wanted to fix them if it was simple.
CVE-2019-11358
CVE-2020-23064
CVE-2015-9251
CVE-2020-11022
I swapped out the line where the jQuery JS asset is included and simply added
'jquery'. Not so simple of course! There were console errors to which I tracked down a couple of relevant issues, but still don't quite follow the behaviour I'm seeing.So I've had to add some logic that I think shirks around the bugs, doesn't break anything existing, and only affects
debugbarusers. The problem is that I don't understand how the debugbar is breaking jQuery. Until then, I'm not really sure that debugbar and version parity can both be achieved simultaneously. I'll leave it at that because the rest is confused postulating, if that's not a tautology.The text was updated successfully, but these errors were encountered: