Skip to content

[cherry-pick] Upgrade jQuery in samples to version 3.5.1 (#21577) #21792

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 10, 2020
Merged

[cherry-pick] Upgrade jQuery in samples to version 3.5.1 (#21577) #21792

merged 1 commit into from
Jun 10, 2020

Conversation

@captainsafia
Copy link
Member

@captainsafia captainsafia commented May 13, 2020
edited
Loading

Description

jQuery versions 3.4.0 and below are impacted by CVE-2019-11358. This PR updates all the jQuery versions currently used in this repo (2.2.0 and 3.3.1) to 3.5.1.

Customer Impact

This issue was reported by a customer in #20001. Component Governance and other automated security checks will flag repositories that contain the vulnerable version of jQuery included by default in our templates and samples. Users can work around the issue by removing the assets generated by the template and replacing them with the updated versions.

Regression?

No regressions.

Risk

The jump from 2.2.0 to 3.5.1 is a major version bump in the jQuery dependency. The following samples with this major version bump were validated.

  • AzureADSample
  • Security ClaimsTransformation sample
  • Security Cookies sample

Given these validations and the fact that this PR brings in a security fix for a dependency of samples and templates, the risk is low.

@captainsafia captainsafia requested a review from HaoK May 13, 2020 18:22
@captainsafia captainsafia changed the title Upgrade jQuery in samples to version 3.5.1 (#21577) [cherry-pick] Upgrade jQuery in samples to version 3.5.1 (#21577) May 13, 2020
@HaoK
Copy link
Member

HaoK commented May 13, 2020

Jquery changes look fine, not sure we should see src/submodules/MessagePack-CSharp changes tho?

@captainsafia
Copy link
Member Author

captainsafia commented May 13, 2020

Jquery changes look fine, not sure we should see src/submodules/MessagePack-CSharp changes tho?

🤦 Fixed.

@HaoK HaoK linked an issue May 14, 2020 that may be closed by this pull request
Consider updating jQuery dependency to 3.4.0 or newer #20001
Closed
@Pilchie Pilchie added the area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates label May 14, 2020
ryanbrandenburg
ryanbrandenburg approved these changes May 14, 2020
View reviewed changes
Copy link
Contributor

@ryanbrandenburg ryanbrandenburg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. My only suggestion is to manually launch one of these websites (if you haven't already) and confirm that the integrity check passes in a real browser. We've run into problems in the past where integrity checks failed for kind of obtuse reasons even though they "matched".

@captainsafia
Copy link
Member Author

captainsafia commented May 14, 2020

I've validating this on one of the auth samples.

@mkArtakMSFT
Copy link
Contributor

mkArtakMSFT commented May 15, 2020

@captainsafia is this ready for Shiproom already?

@captainsafia captainsafia added the Servicing-consider Shiproom approval is required for the issue label May 15, 2020
@ghost
Copy link

ghost commented May 15, 2020

Hello human! Please make sure you've included the Shiproom Template in a comment or (preferably) the PR description. Also, make sure this PR is not marked as a draft and is ready-to-merge.

@mkArtakMSFT mkArtakMSFT added this to the 3.1.x milestone May 20, 2020
@leecow leecow added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels May 21, 2020
@leecow leecow modified the milestones: 3.1.x, 3.1.6 May 21, 2020
@wtgodbe
Copy link
Member

wtgodbe commented Jun 10, 2020

@captainsafia the branch is open for 3.1.6, want me to merge this?

@captainsafia
Copy link
Member Author

captainsafia commented Jun 10, 2020

@captainsafia the branch is open for 3.1.6, want me to merge this?

Yes, please.

@wtgodbe wtgodbe merged commit 55822ca into release/3.1 Jun 10, 2020
@wtgodbe wtgodbe deleted the cherry-query branch June 10, 2020 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HaoK HaoK HaoK approved these changes

@analogrelay analogrelay Awaiting requested review from analogrelay

@Tratcher Tratcher Awaiting requested review from Tratcher Tratcher is a code owner

+1 more reviewer

@ryanbrandenburg ryanbrandenburg ryanbrandenburg approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates Servicing-approved Shiproom has approved the issue

Projects

None yet

Milestone

3.1.6

Development

Successfully merging this pull request may close these issues.

Consider updating jQuery dependency to 3.4.0 or newer

9 participants

@captainsafia @HaoK @mkArtakMSFT @wtgodbe @ryanbrandenburg @Pilchie @leecow @wenz