Lighthouse: Remove warning for front-end JavaScript libraries with known security vulnerabilities in WordPress

Thanks for filing @max23468! Could you clarify what you mean by "WP patched it years ago"? If they fixed it upstream, that would generally mean a new version number that they need to update to.

Thanks for filing @max23468! Could you clarify what you mean by "WP patched it years ago"? If they fixed it upstream, that would generally mean a new version number that they need to update to.

They fixed vulnerabilities but old jQuery library is still there for backward compatibility, as wp run a patched version for years

Take a look also at:
https://wordpress.org/support/topic/google-lighthouse-sees-jquery-1-12-4-as-vulnerable/
https://core.trac.wordpress.org/ticket/37110#comment:98

Thanks for those links! From my reading of those issues, they've manually patched 1.12.4 for the prototype pollution issue from 3.4.0 but the response to the XSS issue was essentially "that rarely happens in WordPress". Which might be a fine explanation, but it's not a reason for us to give a very outdated and vulnerable library version a free pass here in Lighthouse.

I'm also sympathetic to all of the comments made in https://core.trac.wordpress.org/ticket/37110#comment:98 around the need to prioritize an update to a jQuery version that's supported, so bringing more attention to this issue through Lighthouse seems like a positive for the web still.

Joomla is affected by the same issue. In Joomla 3.x we are shipping a patched jQuery 1.12.4, which we can't upgrade on the 3.x branch because it would be a massive b/c break for both core (which is using Bootstrap 2.x) and 3rd party developers.

We are switching to up to date versions of Boostrap and JQuery in the upcoming major version Joomla 4.x, however Joomla 3.x will continue to receive updates for another 2 years, meaning that this will stay an issue for us in the foreseeable future. We are getting tremendous amounts of support requests and security reports because of the flagging in lighthouse, essentially wasting our security team's resources with a solved issue.

So, a big "+1" from the Joomla team for a fix in lighthouse.

Thanks for the input @SniperSister!

So far we've established that Lighthouse won't...

• Grant a blanket exception to jQuery v1.12.4 based on the detected stack (WP/Joomla/etc)
• Grant an exception for only partial fixes to the identified security vulnerabilities

Does Joomla expose a distinct version marker for jQuery that is specific to their patched version? Are both https://snyk.io/vuln/npm:jquery:20150627 and https://snyk.io/vuln/SNYK-JS-JQUERY-174006 patched in Joomla's version in a publicly verifiable source somewhere?

If Joomla has gone above and beyond WP to address this in a way that amounts to a new published version of jQuery with a fix, then we should work with snyk to make sure that's recognized. I gotta say for the all the grief it sounds like WP and Joomla get over this I'm shocked no one's just worked with jquery folks to publish 1.12.5 with their patches already and this would all be over with.