update bundled jQuery to 3.x
Created by: mmitch
I've just found the Google Lighthouse plugin for Firefox and ran it against my blog which is already updated to Serendipity 2.3.4. The Lighthouse report mentions 2 medium security issues in the jQuery 1.12.4 that is bundled with Serendipity 2.3.4: the two red lines at https://snyk.io/vuln/npm:jquery?lh=1.12.4
As far as I can tell:
- jQuery 1.12.4 is the newest version of the 1.x branch
- both jQuery 1.x and 2.x don't receive any patches any more
- there is a jQuery migration tool from version 1.12.x to 3.0
I don't know much about JavaScript or jQuery – is an update or version switch relatively painless or would this mandate a rewrite of half of Serendipity's frontend?
(According to the contribution guidelines, I have contacted Garvin by email to check whether this is security relevant – his quick triage/response was: 1. the bugs in jQuery are more on the cosmetic side 2. updating jQuery might break plugins 3. I should go on to post this issue here on Github: [x] done :-)