Update Plone jQuery version

Speed and performance should be a top priority, it is one factor that Google takes into consideration to make your website score higher in the search results. It is great that Plone offers so many tools out of the box to improve speed, bundle resources, defer javascripts, caching system etc. It is very impressive.

Currently I'm working on bringing a default Plone installation to score 100/100 in all Google metrics. I intent to write and share a small article with instructions that everybody can use to get there.

While using Google's tools, PageSpeed and web.dev, to improve speed I've come across a problem with the jQuery version being used in the latest Plone 5.2 with Python 3.

This is the problem reported by Lighthouse when using https://web.dev/measure/:

Includes front-end JavaScript libraries with known security vulnerabilities

The current jQuery version used in Plone 5.2 is 1.12.4. This versions is reported to have two vulnerabilities: https://snyk.io/vuln/npm:jquery?lh=1.12.4&utm_source=lighthouse&utm_medium=ref&utm_campaign=audit

How can it be fixed?
jQuery for Plone seems to live in the product https://github.com/plone/plone.staticresources. However, without your help I do not have enough knowledge to understand the consequences of updating this version.

Is it possible to update the jQuery version and solve the vulnerabilities?


Unfortunately I cannot help you with your question, but I am interessted in that topic. We have also worked on finding ways to improve the score of a default installation.

Perhaps we could get in contact and exchange information about the current status.

I also looked into upgrading jQuery about 2 years ago.
My conclusion: This is quiet an effort.

  1. Inside Plone it is just work: Update jQuery, look what breaks, fix it, go on.
  2. For a whole bunch of add-on packages this will break things. This is not acceptable inside a stable version.

So, I would go with an update of jQuery for Plone 6.0 and keep 5.2 as is.

For those using 5.2 with need of newer jQuery a backport version of plone.staticresources or alike may be provided.

I do not think this needs a PLIP, because I would consider it as a bugfix, even if one with some impact. What does the framework team think about it?

Regarding the "how to work with plone.staticresources": @thet may you give some pointers?

I have upgraded Patternslib for Quaive to jQuery 3.latest, so it can be done. The jQuery changes are the easy part. The hard part is the whole packaging mess. Also, Patternslib has pretty good test coverage so I was able to rely heavily on that. I'm not sure what the state of JS tests is in Plone.

For upgrading plone.staticresources see the README.rst in that package:

If there is anything unclear ask me. Would be good to have some feedback regarding this docs anyways.
@fredvd do you remember our discussion @ alpine city sprint 20 about the state of docs of the Plone's JS workflow? Do you have some notes of that?

1 Like