Upgrade to jQuery v3.x - DevExpress Controls

On January 18th, 2018, two moderate security vulnerabilities in jQuery were discovered (CVE-2016-10707, CVE-2015-9251):

These vulnerabilities are specific for jQuery versions older than v3.x and we consider them to be relatively low in severity because:

  • CVE-2016-10707 - does not affect jQuery v1.x/2.x nor jQuery v3.x. It’s a transient issue which existed in a specific pre-release build

  • CVE-2015-9251 - While this vulnerability could “expose your site to XSS attacks”, the pre-conditions to this are not common. The app must connect to 3rd party hosts and those hosts need to be hacked/misconfigured

However, if you've not upgraded to jQuery v3.x yet, we encourage you to for two main reasons:

  1. jQuery v1.x and v2.x are officially at end-of-life
  2. To patch your website of these recent vulnerabilities

In this post, I'll discuss which DevExpress controls use jQuery, how to update them, and our future plans.

DevExpress Plans

The DevExpress ASP.NET (WebForms, MVC, and Bootstrap) controls use jQuery v1.1.x. (We embed jQuery libraries delivered in our assemblies only if Embedding Third-Party Libraries is enabled).

Prior to v17.2, jQuery was obligatory for DevExtreme projects. Since v17.2, it's optional but still widely used by lots of DevExtreme users.

We plan to update to jQuery v3.x for past minor releases and upcoming major releases. Switching to a different jQuery version could lead to a breaking change so we are performing serveral tests before we update to jQuery v3.x.

The DevExtreme MVC controls will be upgraded to use jQuery v3.x in the following releases: v17.1.10, v17.2.6 (coming soon), and the next major release v18.1.

The DevExpress ASP.NET MVC controls' project templates will be upgraded to jQuery v3.x in the upcoming v17.1.10 and v17.2.6 minor releases. Then, in the v18.1 major release, we'll update all ASP.NET controls (WebForms, MVC, and Bootstrap) to use/reference jQuery v3.x.

However, we recognize that many developers use jQuery independently from our controls and to you, I would recommend upgrading jQuery too (with proper testing).

Upgrade jQuery

The v17.2.6 minor release will be available in a couple of weeks and I recommend that you install that for the easiest way to upgrade to jQuery v3.x.

You can upgrade your website that uses the DevExpress ASP.NET controls, DevExtreme MVC Controls, or DevExtreme client-side controls today because they both support jQuery v3.x.

The jQuery team has provided an excellent upgrade guide:

https://jquery.com/upgrade-guide/3.0/

Because there have been major changes in jQuery from v1.9/2.0 to 3.x, they've created a helpful jQuery Migrate Plugin:

For my own sites and blogs, I’ve used jQuery Migrate to identify problem areas (and they were few and far between, generally to do with methods that had been deprecated). jQuery Migrate does two things: it logs problems to the console (so you can see what needs changing), and it also adds back the deprecated stuff. In other words, the JS on one’s site still works and you get an indication of what to change in order to upgrade. - Julian Bucknall, DevExpress CTO

Note: For the client-side DevExtreme controls, you can also upgrade to jQuery v3.x or you can change the underlying client-side framework. However, this is a costly suggestion and one that you're not likely to do unless you're starting a new project. In which case, consider using Angular or React (which do not rely on jQuery).

If you run in to any issues then please contact our support team and they can help you.

Thanks!


Email: mharry@devexpress.com

Twitter: @mehulharry

no comments
No Comments

Please login or register to post comments.