jQuery 1.x is End of Life and does not receive patches

[tonygermano]

Recently #4300 upgraded jQuery to version 1.12.4 in Connect version 3.9, however, the 1.x branch of jQuery has already been EoL for about 3 years according to jquery/jquery.com#162

[MichaelLeeHobbs]

This is showing up on vul scans now. Recommend JQuery 3.5 per https://snyk.io/test/npm/jquery/1.12.4

[jonbartels]

A search for "min.js" to find references to the jqeuery.min.js files is: https://github.com/nextgenhealthcare/connect/search?q=%22.min.js%22&unscoped_q=%22.min.js%22

It shows references at

• the Swagger UI (so either have to ensure swagger works with Jquery 3.5 or update swagger)
• the MirthTagBrowser which IIRC is used for the fuzzy matching and selection of tags in list pages in the MR UI

I would expect JQuery to be generally backward compatible but those two use cases would have to be evaluated to make sure it still works. Since its UI/UX related I don't see a good way to automate the testing either.

[jonbartels]

The user "naql" in Slack applied the manual workaround. He reported on 2020-07-29 in a thread in #general that:

I first tried swapping out with 1.12.4, but the scan didn't like that either. I put in the most recent 3.5.1 and it seemed to work. Follow the instructions on the ticket: delete the webadmin war, replace the jquery-1.x-min.js file with the 3.5 one in the public_html and the public_api_html . I didn't bother with the other jquery files in the latter. Just left them alone. Edit references in both index pages, reboot mirth. Passed the scan, I can still log into it with mirth admin, button to launch admin console from web page still works, swagger page displays, but I did not test it very thoroughly. Should not affect use of the api.

[baileyglen]

I am running into this issue as well. Has any progress been made on upgrading the version?

[cturczynskyj]

Thank you for reporting this. We've added an issue to our backlog to look into updating jQuery (again).