#9753 [stable-3_3_0] Update jquery, jquery-ui and chart.js to address…

… security vulnerability reports (#10167)

* #9753 [stable-3_3_0] Update jquery version from 3.5.1 to 3.7.1

* #9753 [stable-3_3_0] Update jquery validation from v1.11.1 to v1.19.5

* #9753 [stable-3_3_0] Remove components/jqueryui as a composer dependency

* #9753 [stable-3_3_0] Manually add jquery-ui v1.13.3 to jquery plugins

* #9753 [stable-3_3_0] Move import of jqueryui from vendors to js plugins

* #9753 [stable-3_3_0] Remove jquery-ui local files

* #9753 [stable-3_3_0] Add jquery-ui dependency to composer from npm

* #9753 [stable-3_3_0] Remove jquery-validation local files

* #9753 [stable-3_3_0] Add jquery-validation to composer from npm

* #9753 [stable-3_3_0] Remove jquery, jquery-ui and jquery-validation to composer dependencies

* #9753 [stable-3_3_0] Undo updates to jquery, jquery-ui and jquery-validation paths

* #9753 [stable-3_3_0] Add js/lib/jquery/plugins/validate/ path to gitignore

* #9753 [stable-3_3_0] Add script to copy jquery and jqueryui when running composer install

* #9753 Add composer custom repositories for jquery-ui, jquery-validate

* #9753 Update composer script when copying jqueryui and jquery validation

* #9753 Update FileManager mkdir function to check if folder already exists

* #9753 Update ComposerScript to use FileManager to copy files and dir

* #9753 Undo unintended version bump for plugin-api-version

* #9753 Update returned value when directory already exists before creating a dir

* #9753 Resolve unexpected throw statement on ComposerScript file

* #9753 Update path when requiring tools/bootstrap.inc.php

* #9753 Update ComposerScript to use native functions to copy files

* #9753 Undo check of is_dir on mkdir function in FileManager

* #9753 Update message log if creating dir fails in ComposerScript

.gitignore

@@ -2,4 +2,5 @@ te_ST/
 lib/tinymce/jscripts/tiny_mce/*.gz
 lib/vendor
 lib/components
-.DS_Store
+.DS_Store
+js/lib/jquery/plugins/validate/

classes/dev/ComposerScript.php

@@ -0,0 +1,112 @@
+<?php
+/**
+ * @file classes/dev/ComposerScript.php
+ *
+ * Copyright (c) 2024 Simon Fraser University
+ * Copyright (c) 2024 John Willinsky
+ * Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
+ *
+ * @class ComposerScript
+ *
+ * @brief Custom composer scripts to run post installs/updates
+ */
+
+namespace PKP\dev;
+
+use Exception;
+
+class ComposerScript
+{
+	/**
+	 * Recursively copies the contents of a directory from source to destination.
+	 *
+	 * @param string $src The source directory.
+	 * @param string $dst The destination directory.
+	 * @throws Exception If a directory cannot be opened or a file cannot be copied.
+	 */
+	private static function copyDir(string $src, string $dst): void
+	{
+		if (!is_dir($src)) {
+			throw new Exception("Source directory does not exist: $src");
+		}
+
+		$dir = @opendir($src);
+		if (!$dir) {
+			throw new Exception("Failed to open directory: $src");
+		}
+
+		if (!@mkdir($dst, 0755, true) && !is_dir($dst)) {
+			throw new Exception("Failed to create destination directory: $dst");
+		}
+
+		while (false !== ($file = readdir($dir))) {
+			if ($file != '.' && $file != '..') {
+				$srcFile = $src . '/' . $file;
+				$dstFile = $dst . '/' . $file;
+
+				if (is_dir($srcFile)) {
+					self::copyDir($srcFile, $dstFile);
+				} else {
+					if (!@copy($srcFile, $dstFile)) {
+						throw new Exception("Failed to copy file: $srcFile to $dstFile");
+					}
+				}
+			}
+		}
+
+		closedir($dir);
+	}
+
+	/**
+	 * A post-install-cmd custom composer script that
+	 * copies composer installs from repositories
+	 * to the correct/existing directories of the following dependencies:
+	 * jquery-ui and jquery validation
+	 */
+	public static function copyVendorAssets(): void
+	{
+		$vendorBaseDir = __DIR__ . '/../../lib/vendor';
+		$jsPluginsDir = __DIR__ . '/../../js/lib';
+
+		$source = [
+			'jquery-ui.js' => $vendorBaseDir . '/jquery/ui/dist/jquery-ui.js',
+			'jquery-ui.min.js' => $vendorBaseDir . '/jquery/ui/dist/jquery-ui.min.js',
+			'jquery-validate' => $vendorBaseDir . '/jquery/validation/dist'
+		];
+
+		$dest = [
+			'jquery-ui.js' => $vendorBaseDir . '/components/jqueryui/jquery-ui.js',
+			'jquery-ui.min.js' => $vendorBaseDir . '/components/jqueryui/jquery-ui.min.js',
+			'jquery-validate' => $jsPluginsDir . '/jquery/plugins/validate'
+		];
+
+		try {
+			// jQuery UI
+			if (!file_exists($vendorBaseDir . '/components/jqueryui')) {
+				if (!mkdir($vendorBaseDir . '/components/jqueryui', 0755, true)) {
+					throw new Exception("Failed to create directory: {$vendorBaseDir}/components/jqueryui");
+				}
+			}
+
+			if (!copy($source['jquery-ui.js'], $dest['jquery-ui.js'])) {
+				throw new Exception('Failed to copy jquery-ui.js to destination folder');
+			}
+
+			if (!copy($source['jquery-ui.min.js'], $dest['jquery-ui.min.js'])) {
+				throw new Exception('Failed to copy jquery-ui.min.js to destination folder');
+			}
+
+
+			// jQuery Validation
+			if (!file_exists($dest['jquery-validate'])) {
+				if (!mkdir($dest['jquery-validate'], 0755, true)) {
+					throw new Exception("Failed to create directory: {$dest['jquery-validate']}");
+				}
+			}
+
+			self::copyDir($source['jquery-validate'], $dest['jquery-validate']);
+		} catch (Exception $e) {
+			throw $e;
+		}
+	}
+}

composer.json

@@ -1,8 +1,6 @@
 {
 	"require": {
 		"ralouphie/getallheaders": "*",
-		"components/jqueryui": "1.*",
-		"components/jquery": "^3.5",
 		"wikimedia/less.php": "3.*",
 		"phpmailer/phpmailer": "6.*",
 		"smarty/smarty": "^4.3",
@@ -25,7 +23,10 @@
 		"staudenmeir/laravel-upsert": "^1.3",
 		"cweagans/composer-patches": "^1.7",
 		"composer/semver": "*",
-		"php81_bc/strftime": "^0.5.0"
+		"php81_bc/strftime": "^0.5.0",
+		"components/jquery": "3.7.1",
+		"jquery/ui": "1.13.3",
+		"jquery/validation": "1.19.5"
 	},
 	"require-dev": {
 		"phpunit/phpunit": "~9",
@@ -41,10 +42,40 @@
 			"cweagans/composer-patches": true
 		}
 	},
+	"scripts": {
+		"post-install-cmd": [
+			"@copyVendorAssets"
+		],
+		"copyVendorAssets": [
+			"PKP\\dev\\ComposerScript::copyVendorAssets"
+		]
+	},
 	"repositories": [
 		{
 			"type": "vcs",
 			"url": "https://github.com/asmecher/ADOdb"
+		},
+		{
+			"type": "package",
+			"package": {
+				"name": "jquery/ui",
+				"version": "1.13.3",
+				"dist": {
+					"url": "https://registry.npmjs.org/jquery-ui/-/jquery-ui-1.13.3.tgz",
+					"type": "tar"
+				}
+			}
+		},
+		{
+			"type": "package",
+			"package": {
+				"name": "jquery/validation",
+				"version": "1.19.5",
+				"dist": {
+					"url": "https://registry.npmjs.org/jquery-validation/-/jquery-validation-1.19.5.tgz",
+					"type": "tar"
+				}
+			}
 		}
 	],
 	"extra": {
@@ -85,5 +116,10 @@
 				"Apply strftime locale patch": "lib/strftime-locale-patch.diff"
 			}
 		}
+	},
+	"autoload": {
+		"psr-4": {
+			"PKP\\": "classes/"
+		}
 	}
 }