[GitHub Pages] Updating jQuery Version to Something Newer

Help
1

Hello, this is somewhat off-topic, but I wanted to post anyway since it could be something that applies to a Jekyll website …

Basically, on the repo where my Jekyll website lives (on the main branch), there is another branch with an older (HTML) version of this site. And lately when I push changes up to the main repo, Git informs me of a security vulnerability. When I view the link within GitHub, it shows the following:

jQuery vulnerable to Cross-Site Scripting (XSS) #1

Dependabot couldn't find a package.json.

Dependabot requires a package.json to evaluate your JavaScript dependencies. It had expected to find one at the path: /misc/package.json.

Package - jquery (npm)

Affected versions - < 1.6.3

Patched version - 1.6.3

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Even though this is complaining about the non-Jekyll branch, I am using the same jQuery version for a background image rotator on the Jekyll site too. So GitHub will complain about that as well, if not now, definitely at some point in future…

From what I gather, the fix is to update the jQuery version from the current (1.4.*) to something newer than 1.6.

However, I’ve not done this before and am not sure if this is a simple operation or if it could be difficult or prone to unforeseen problems …

If anyone has come across this before and/or has some advice to pass along, I’ll be interested to hear it!

Thanks,
Jim

1 Like
2

I think it should be simple - do you know where you are importing jquery? it is probably just a link in the head section and you probably can just find the newer version url and swap it out. If it doesn’t work undo it.

While I don’t have a lot of jquery experience my guess is there would not be anything that breaks - newer versions would just have new features and fixes but it should work the same. And if you have 1.4 and just need to go to 1.6.3 or the last one in the 1.x family that should not be a big deal. Going to 2.x or 3.x might be more of an issue.

That said you can normally do things in normal JS that jquery was needed for in the past though I’m sure there a zillions of cool things that still rely on jquery.

1 Like
3

Thanks for the reply, rdyar. It was simple, as you surmised, and just involved bumping the jQuery version to the latest (1.12.4).

A little testing has confirmed that nothing broke with this update, and so it appears everything is in good shape!

Thanks again,
Jim