[meta] project todos, status, issues

[ctcpip]

EOL jQuery security project

updating jQuery

Note

reviewers needed for jQuery code changes, especially where patch was not sourced from future jQuery versions. also assess whether any additional unit tests are needed.

• fix all CVEs in 1.2.6 #2
• fix all CVEs in 1.3.2 #3
  • can't run jQuery QUnit tests yet, but A/B tests pass
• fix all CVEs in 1.4.4 #5
• fix all CVEs in 1.5.2
• fix all CVEs in 1.6.4 #1
• fix all CVEs in 1.7.2
• fix all CVEs in 1.8.3
• fix all CVEs in 1.12.4
• fix all CVEs in 2.2.4

A/B CVE testing

tests against every version are run on every push

A/B CVE test results

Note

reviewers needed for reproduction code, especially where CVEs were not reproducible with certain jQuery versions

reproduction code is here

review status of fixes per CVE

Note

there may be slight variations in fixes and tests across jQuery versions, though we have tried to minimize variation as much as possible

• CVE-2011-4969
• CVE-2012-6708
• CVE-2015-9251
• CVE-2019-11358
• CVE-2020-7656
• CVE-2020-11022
• CVE-2020-11023
• CVE-2020-23064

other goals

• firefox coverage for CI