jQuery
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://jquery.com/ | Low | None |
External contacts
The jQuery team is reachable via their public GitHub issue tracker, email, and IRC. Security reports are taken via private email.
Security posture
jQuery is used in the administrator panel for optional quality-of-life enhancements including multiple collection selection and multiple photo upload. It is also used for the "carousel" functionality of the item gallery for the customer-facing site.
We do not perceive any security risks, as no untrusted input is given to the library. However, JavaScript is in general a minefield, so we rate the risk Low instead of Very Low.
Abandonment risk
jQuery is run by the OpenJS Foundation, whose members include IBM, Microsoft, Joyent, GoDaddy, and the German government. It powers over half of the Web. It is virtually impossible to even fathom it being abandoned.
Versioning policy
We have vendored jQuery 3.7.1 in Mall on Rails. jQuery only supports a single major version, so when 4.0 is released, 3.x will be unsupported. They provide a migration tool for each major version that will allow us to evaluate the upgrade easily. Evaluation of jQuery 4.0 shall take place within one month of the release, including testing our (limited) dependent functionality and ensuring browser compatibility with our target platforms.