Update documentation and HTML templates to use jQuery 3.x from CDN
Closed this issue · 3 comments
jquery 1.x is ancient and I've seen it triggering some vulnerability scanners. I tested nist-header-footer with the latest jquery 3.x release and it works fine. (I had to update leaveNotice to work with it, but I did that so it is now happy with 3.x too.)
Anyway I'm of mixed feelings about having a copy of jquery in the repo at all since it will always be out of date and yet people will still be referencing it. I think it might be best to change the documentation to pull the latest 3.x jquery from the CDN by changing the script tag that loads it to this:
<script type="text/javascript" src="https://code.jquery.com/jquery-3.x-git.min.js" defer="defer"></script>
Leave the 1.9 version in the repo so we don't break anything, but don't mention it anymore.
Neither nist-header-footer nor leaveNotice do anything sophisticated so minor version changes are very unlikely to cause problems.
Then the HTML head template in the repo should be changed to match the documentation.
Sorry, I'm swamped with other stuff so haven't had time to try to put a pull request together, but ran into this today and wanted to get it filed in case you can do it.
To clarify: I tested with jquery 1.x, 2.x and 3.x and all appear to be working after some minor updates to leaveNotice. No changes to header-footer were required. So I think we can say they're all supported, but recommend 3.x.
Thanks for this issue @mdsteveb
I also tested locally using the following script and both the footer and header loaded fine.
<script src="https://code.jquery.com/jquery-3.6.1.min.js" integrity="sha256-o88AwQnZB+VDvE9tvIXrMQaPlFFSUTR+nldQm1LuPXQ=" crossorigin="anonymous" defer="defer"></script>
On the jquery site, it did recommend using the script above since jquery-3.x-git.min.js was not meant for prod sites. I understand it gets away from covering all 3.x versions and we would probably have to update again in the future if we continue to use jquery.