New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bump jquery to 3.4.1 and update linking #549
bump jquery to 3.4.1 and update linking #549
Conversation
I've tested this doesn't generate any HTTP errors, except favicon.ico, but I don't think that's provided in the code anyway, and had a glance at my browser's script console and don't think it's caused any extra troubles. There is a possibility of incompatibility between jquery and related js code that sits alongside it, but I would not know how to test for that really. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the pull request!
i wonder how to review this. because we commit the .min.js file directly, there's basically no way of reviewing this code reliably without recompiling it or comparing with another source, at which point it's basically the same as doing the patch ourselves...
shouldn't we fetch this file as part of the build process or something?
in any case, i'm happy to merge this if someone (else?) makes sure the JS is trustworthy...
Honestly, I really haven't put anything nefarious on top of the distribution version of jquery:
Now, whether or not you trust the vendors of jquery itself not to do anything nefarious, well, that is another matter ;) Fetching it as a part of the build process probably makes a lot more sense, but you'd need a sane workaround for the versioned path and filename situation in your pipeline, while still being able to demonstrate which version of jquery belongs with which version of puppetboard. Shouldn't be too hard though. |
well of course you'd say that. :) that's not the point, the point is for us to figure out how we make sure you're telling the truth, or maybe avoid that requirement altogether so that we don't have that awkward conversation again in the future. :p
maybe we could commit checksums in the build system, for example. alternatively what we do in Debian packaging is we check upstream OpenPGP signatures so that we know we at least get what we expect from upstream. now whether we actually trust upstream is a whole other ball game of course, but maybe we can assume enough eyeballs are looking at jquery for that not to matter for this specific project? |
#529