Upgrades jquery-ui to 1.13.0

[nescalera]

No description provided.

[guillaumebriday]

@Borzik That would be awesome if you could take a look at this! 🙏

Thanks for the package!

[jfeust]

@Borzik Is this project dead? It would be great to get a release with 1.13.0 in it! Please!

[guillaumebriday]

I hope nope because I need jquery-ui 1.13 to remove jquery-migrate 🤞

[nescalera]

@Borzik Any hope of getting this PR merged?

[guillaumebriday-pa]

@joliss Maybe you could take a look too? That would be awesome 🙏

Otherwise, I'll try to reach @Borzik on twitter 🤞

[lws803]

Hey there, out of curiosity, how did you manage to upgrade the files in /jquery-ui-rails/app/assets/javascripts/jquery-ui for version 1.13.0?

[nescalera]

@lws803 - First I pointed the jquery-ui submodule to 1.13.0 then I ran rake build since the JS assets are generated by a rake task (See query-ui-rails/Rakefile).

[guillaumebriday-pa]

For those who want to use jquery-ui-1.13.0 as it is in this PR you can update your Gemfile like so:

gem 'jquery-ui-rails', github: 'nescalera/jquery-ui-rails', branch: 'jquery-ui-1.13.0'

and run bundle update jquery-ui-rails

thanks @nescalera

[pdurkim]

@nescalera Do you know how we can fix the sortable widget?

I'm getting the following when attempting to drag and drop items for sorting:

application-d429a055b29862127b56a465c8f06bd8e3d8d4dabe65b519808185d97af7cfbf.js:46162 Uncaught TypeError: Cannot read properties of undefined (reading 'vertical')
    at $.<computed>.<computed>._intersectsWithPointer (application-d429a055b29862127b56a465c8f06bd8e3d8d4dabe65b519808185d97af7cfbf.js:46162:42)
    at $.<computed>.<computed>.<anonymous> (application-d429a055b29862127b56a465c8f06bd8e3d8d4dabe65b519808185d97af7cfbf.js:32087:25)
    at $.<computed>.<computed>._intersectsWithPointer (application-d429a055b29862127b56a465c8f06bd8e3d8d4dabe65b519808185d97af7cfbf.js:32087:25)
    at $.<computed>.<computed>._mouseDrag (application-d429a055b29862127b56a465c8f06bd8e3d8d4dabe65b519808185d97af7cfbf.js:54518:29)
    at $.<computed>.<computed>._mouseDrag (application-d429a055b29862127b56a465c8f06bd8e3d8d4dabe65b519808185d97af7cfbf.js:32087:25)
    at $.<computed>.<computed>._mouseStart (application-d429a055b29862127b56a465c8f06bd8e3d8d4dabe65b519808185d97af7cfbf.js:45815:8)
    at $.<computed>.<computed>.<anonymous> (application-d429a055b29862127b56a465c8f06bd8e3d8d4dabe65b519808185d97af7cfbf.js:32087:25)
    at $.<computed>.<computed>._mouseStart (application-d429a055b29862127b56a465c8f06bd8e3d8d4dabe65b519808185d97af7cfbf.js:32087:25)
    at $.<computed>.<computed>._mouseMove (application-d429a055b29862127b56a465c8f06bd8e3d8d4dabe65b519808185d97af7cfbf.js:39463:12)
    at $.<computed>.<computed>.<anonymous> (application-d429a055b29862127b56a465c8f06bd8e3d8d4dabe65b519808185d97af7cfbf.js:32087:25)

	_intersectsWithPointer: function( item ) {
		var verticalDirection, horizontalDirection,
			isOverElementHeight = ( this.options.axis === "x" ) ||
				this._isOverAxis(
					this.positionAbs.top + this.offset.click.top, item.top, item.height ),
			isOverElementWidth = ( this.options.axis === "y" ) ||
				this._isOverAxis(
					this.positionAbs.left + this.offset.click.left, item.left, item.width ),
			isOverElement = isOverElementHeight && isOverElementWidth;

		if ( !isOverElement ) {
			return false;
		}

		verticalDirection = this.dragDirection.vertical; # Error thrown here

[hlascelles]

Thank you @nescalera!

Very strong bump for this - versions prior to 1.13.0 are vulnerable to XSS: https://nvd.nist.gov/vuln/detail/cve-2021-41184 (found about a year ago).

@Borzik @jaredbeck @alvir This PR is now more than just a nice to have. Please can it be reviewed?

[Gu7z]

+1 @Borzik can you take a look?

[Gu7z]

And this need an update to 1.13.2

[Borzik]

I have merged it, but I don't have release permissions.
https://rubygems.org/gems/jquery-ui-rails
@rosenfeld @joliss could you please release it to RubyGems?

[samsonjs]

It's safe to say that @rosenfeld and @joliss either missed this or it fell off their radars. A handful of us would all be very appreciative if one of you has time to please release jquery-ui-rails 7.0.0 to rubygems for a set of XSS fixes that are over 6 months old 🙏

[BenoitDeo]

for who needs it, a workaround for the time being will be:

gem 'jquery-ui-rails', github: 'jquery-ui-rails/jquery-ui-rails', tag: 'v7.0.0'

[dgm]

Unbelievable that this still is not in rubygems.

[guillaumebriday]

Unbelievable that this still is not in rubygems.

They owe you nothing, it's free and open source.

[dgm]

Nevertheless we've come to expect better from top level gems. This is hardly an obscure project. Github Dependabot alerts are advocating gem "jquery-ui-rails", ">= 7.0.0" for a security update, which isn't working right now. It's a bad look.

[samsonjs]

Unbelievable that this still is not in rubygems.

They owe you nothing, it's free and open source.

Nobody's arguing otherwise but as stewards of a library it would be good of them to either act or authorize someone else to act.