Support » Plugin: WordPress Gallery Plugin - NextGEN Gallery » Locks jQuery version

  • For some reason NEXTGEN GALLERY is enforcing the version af jQuery. Making it impossible to upgrade to the newest version of jQuery. This persists existing security risks with jQuery 1.12.4

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support edanzer

    (@edanzer)

    Hey @squazz and others who may read this,

    There’s some truth to this review and we think this is reasonable feedback. But we do want to provide some context.

    First, what we’re doing is enforcing *the version of jQuery that WordPress itself includes.*

    There are good reasons to do this. The entire developer ecosystem around WordPress expects this version, and builds around it. For that reason, in most cases, it is considered poor practice to change the version of jQuery. When you do, you’re likely to break a lot of plugins, and possibly even some core WordPress behaviors. Most cases where we’ve seen this, it has been in the context of poorly coded themes or plugins, which when installed, break the code of other themes/plugins that are all using the WP version.

    That’s not to say there may not be some legitimate use cases, especially for users managing their own environments (as opposed to theme/plugin devs who are forcing changes in the jQuery version everywhere their products are installed).

    We’ll look into providing a work around in our own code for that.

    Second, on security fixes and concerns… As a rule, if there are legitimate security concerns with the version of jQuery that WordPress packages, we would expect WordPress to address that. Otherwise, WordPress itself is keeping 10s of millions of websites in a vulnerable state. And WordPress is fairly security conscious about these things.

    @squazz – on that front, I don’t know which specific security issues you’re concerns about, but assuming they are valid, your critique is also a broader one about WordPress for packaging a version jQuery that’s not secure. If you haven’t, you may consider addressing it with WP folks directly.


    In any case, thanks for taking the time to add your feedback.

    I’m not saying that you as a developer of a plugin, should enforce an upgrade of jQuery for the entire site. Yes, that would be extremely rude 😉 But I don’t see any reason to lock down the version to the version WordPress is shipping. The fact that you as a plugin-developer finds it necessary to enforce / lock down the version of jQuery seems very rude too.

    If you were dependent on something specific from jQuery one, it would be a different story. But I can’t figure of anything you would be dependent on. Between jQuery 1 & 2 there no breaking changes – except that IE 6, 7, 8 is no longer supported. Reference: http://blog.jquery.com/2013/05/24/jquery-1-10-0-and-2-0-1-released/
    jQuery 3 is a different story: https://jquery.com/upgrade-guide/3.0/#jquery-core-3-0-upgrade-guide

    I personally think, that as a developer of one of the most downloaded plugins for WordPress, you guys should aim higher for your code. Ensuring that your jQuery code is jQuery 3.x compatible would be a great mindset, and would then allow you to not lock down the version of jQuery.
    You guys shouldn’t be thinking of workarounds. You should ensure your code is forwards compatible, and then lift the enforcement of the WordPress delivered jQuery.

    Regarding the vulnerabilities, I’m trusting SNYK https://snyk.io/test/npm/jquery/1.12.4. They inform that there are two known vulnerabilities in the jQuery version WordPress is shipping with.
    I know there are reasons for WordPress to keep jQuery at version 1.x as many themes and plugins are written with this version in mind. I still don’t like it, and I try to upgrade my websites to jQuery 3 if possible. But that’s an entirely different discussion.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Locks jQuery version’ is closed to new replies.