Skip to content

Upgrade JQuery to 3.5.1 through webjars, for easier Maven version bumps #1972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

Upgrade JQuery to 3.5.1 through webjars, for easier Maven version bumps #1972

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e2dfca3
Upgrade JQuery to 3.5.1 through webjars, for easier Maven version bumps
May 12, 2020
56a167c
Update changelog based on similar note in 5.0.0-RC1 release notes
May 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
### Added

### Changed
* [Core] Upgrade the timeline formatter's jQuery dependency from 3.4.1 to 3.5.1. jQuery 3.4.1 has an [XSS vulnerability](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/)
that wouldn't normally affect the timeline formatter. However, it did break OWASP dependency-check plugin runs against libraries containing cucumber-core.
([#1971](https://github.com/cucumber/cucumber-jvm/issues/1971), [#1972](https://github.com/cucumber/cucumber-jvm/pull/1972) Tim te Beek)

### Deprecated

Expand Down
11 changes: 11 additions & 0 deletions core/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,17 @@
<artifactId>apiguardian-api</artifactId>
</dependency>

<dependency>
<groupId>org.webjars</groupId>
<artifactId>jquery</artifactId>
<version>3.5.1</version>
</dependency>
<dependency>
<groupId>org.webjars</groupId>
<artifactId>webjars-locator-core</artifactId>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might conflict with other applications that use this as a production dependency.

You'll have to shade both.

<version>0.41</version>
</dependency>

<dependency>
<groupId>org.xmlunit</groupId>
<artifactId>xmlunit-core</artifactId>
Expand Down
8 changes: 7 additions & 1 deletion core/src/main/java/io/cucumber/core/plugin/TimelineFormatter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
import io.cucumber.plugin.event.TestCaseStarted;
import io.cucumber.plugin.event.TestRunFinished;
import io.cucumber.plugin.event.TestSourceParsed;
import org.webjars.WebJarAssetLocator;

import java.io.Closeable;
import java.io.File;
Expand All @@ -38,7 +39,6 @@ public final class TimelineFormatter implements ConcurrentEventListener {
"/io/cucumber/core/plugin/timeline/index.html",
"/io/cucumber/core/plugin/timeline/formatter.js",
"/io/cucumber/core/plugin/timeline/report.css",
"/io/cucumber/core/plugin/timeline/jquery-3.4.1.min.js",
Copy link
Contributor

@mpkorstanje mpkorstanje May 12, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm not mistaken, chosen.jquery (a few lines down) is a jquery plugin. That probably have to be updated as well.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

chosen.jquery is indeed a jquery plugin, but there's no update for it. It's at its latest release (which was a securityfix) released in June 2018. Nowadays the project marks itself as deprecated awaiting decisions on their future direction.

"/io/cucumber/core/plugin/timeline/vis.min.css",
"/io/cucumber/core/plugin/timeline/vis.min.js",
"/io/cucumber/core/plugin/timeline/vis.override.css",
Expand Down Expand Up @@ -146,6 +146,12 @@ private void copyReportFiles() {
copyFile(textAssetStream, new File(outputDir, fileName));
closeQuietly(textAssetStream);
}
// Add JQuery separately, as it's versioned through webjars
String jqueryFilename = "jquery.min.js";
String queryPath = new WebJarAssetLocator().getFullPath("jquery", jqueryFilename);
InputStream jqueryStream = getClass().getResourceAsStream("/" + queryPath);
copyFile(jqueryStream, new File(outputDir, jqueryFilename));
closeQuietly(jqueryStream);
}

private static void copyFile(final InputStream source, final File dest) throws CucumberException {
Expand Down
2 changes: 1 addition & 1 deletion core/src/main/resources/io/cucumber/core/plugin/timeline/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
<link href="chosen.min.css" rel="stylesheet" type="text/css"/>
<link href="chosen.override.css" rel="stylesheet" type="text/css"/>
<link href="report.css" rel="stylesheet" type="text/css"/>
<script src="jquery-3.4.1.min.js"></script>
<script src="jquery.min.js"></script>
<script src="chosen.jquery.min.js"></script>
<script src="vis.min.js"></script>
<script src="formatter.js"></script>
Expand Down
2 changes: 0 additions & 2 deletions core/src/main/resources/io/cucumber/core/plugin/timeline/jquery-3.4.1.min.js
View file
Open in desktop

This file was deleted.

7 changes: 5 additions & 2 deletions core/src/test/java/io/cucumber/core/plugin/TimelineFormatterTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,15 +118,18 @@ void shouldWriteAllRequiredFilesToOutputDirectory() throws IOException {

assertThat(REPORT_JS + ": did not exist in output dir", reportJsFile.exists(), is(equalTo(true)));

final List<String> files = Arrays.asList("index.html", "formatter.js", "jquery-3.4.1.min.js", "vis.min.css",
"vis.min.js", "vis.override.css");
final List<String> files = Arrays.asList("index.html", "formatter.js", "vis.min.css", "vis.min.js",
"vis.override.css");
for (final String e : files) {
final File actualFile = new File(reportDir, e);
assertThat(e + ": did not exist in output dir", actualFile.exists(), is(equalTo(true)));
final String actual = readFileContents(actualFile.getAbsolutePath());
final String expected = readFileContents(new File(REPORT_TEMPLATE_RESOURCE_DIR, e).getAbsolutePath());
assertThat(e + " differs", actual, is(equalTo(expected)));
}
// Ensure JQuery file was written
final File actualFile = new File(reportDir, "jquery.min.js");
assertThat("jquery.min.js: did not exist in output dir", actualFile.exists(), is(equalTo(true)));
}

private void runFormatterWithPlugin() {
Expand Down