Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hello,
I think jquery versions should be patched following this release: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Patches seem quite straightforward to apply: https://github.com/DanielRuf/snyk-js-jquery-174006
Comment | File | Size | Author |
---|---|---|---|
#6 | Screen Shot 2019-07-29 at 11.39.51 PM.png | 174.71 KB | coffeedevgirl |
#6 | Screen Shot 2019-07-29 at 11.39.59 PM.png | 189.94 KB | coffeedevgirl |
#3 | image.png | 42.75 KB | Nixou |
Comments
Comment #2
Ludo.RI guess if you're using Drupal core 7.66+, it's not needed.
Comment #3
Nixou CreditAttribution: Nixou at Actency commentedI think the patch is needed even if you are on 7.66 because the jquery file used will not be the one of the core (which is fixed).
All jquery files included in this module are not patched so they will remain vulnerable.
See also attach screenshot.
Comment #4
Ludo.R@Nixou,
That's what I thought initially, but using Drupal 7.66 will fix the vulnerability.
There's a new file that will override jquery's extend() function.
See: https://git.drupalcode.org/project/drupal/commit/39e2971
The patch is still needed for people that are not upgrading to 7.66
Comment #5
solideogloria CreditAttribution: solideogloria commentedThat was literally the only fix in 7.66, so even if they don't upgrade to 7.66, they can cherry-pick the fix into their codebase.
Comment #6
coffeedevgirl CreditAttribution: coffeedevgirl commentedHello, I have an issue related to jQuery 3.4.0, I did the update to Drupal core 7.67 and now I have issues with all the js files with issues like :
Uncaught TypeError: $ is not a function
Uncaught TypeError: $form.once is not a function
My question is basically if I need to apply this patch even if I did the update to 7.67? I tried different changes in the code without success until now, and specifically, I have so many issues with the module Views Conditional 7.x-1.3 at the moment to try to open the pop up's. Any help?
Comment #7
solideogloria CreditAttribution: solideogloria commentedIs all of your JS wrapped in functions like this:
(function ($) { ... })(jQuery);
Comment #8
coffeedevgirl CreditAttribution: coffeedevgirl commentedyes, actually all my scripts are wrapped, the issue started after to include the jquery-3-4-0-released :(
Comment #9
mcdruidSee #3312045: Plan for jQuery Update 7.x-4.0 release.