Hi I think the risk of breaking things is quite significant. At least that is my experience from updating jquery for various applications.
I guess we should then mark it as ignored, with some motivation around that. // Ola On Fri, 12 Jun 2020 at 00:00, Brian May <b...@debian.org> wrote: > > Brian May <b...@debian.org> writes: > > > But... surprise surprise, it looks like buildFragment may be broken: > > It looks like this commit might fix that: > > https://github.com/jquery/jquery/commit/22ad8723ce07569a9b039c7901f29e86ad14523c > > But this is a rather invasive commit. Don't think we should apply it to > Jessie. > > I believe any fix we make to the package in Jessie risks: > > * Breaking existing applications. > * Not fixing the problem entirely. > > Plus the version in Jessie is likely to have numerous security issues > already, not just this one. Looking through some of the git commit logs > around this time seems to verify this view that there could be serious > issues in such an old version of JQuery. > > I think it is a matter of: > > * Leave it. I mean how likely is it that a JavaScript app will conduct > load() on an untrusted URL anyway? Particularly with modern browsers > with Same-origin policy - I suspect not likely. > > * Update Jessie to a newer upstream version. Maybe the one in Stretch. > Yes, there is the risk this will break stuff. > > I tend to favour the first option. Mark the issue as nodsa or similar. > -- > Brian May <b...@debian.org> > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
