pkp/pkp-lib#9753 [stable-3_3_0] Update jquery, jquery-ui and chart.js to address security vulnerability reports

[blesildaramirez]

For v3.3.0, we need to:

• Upgrade jQuery from v3.5.1 to v.3.7.1
• Upgrade jQuery validation from v1.11.1 to v1.19.5
• Upgrade jQuery UI from v1.12.1 to v1.13.3
• Update submodule
  • OJS: ojs:stable-3_3_0 PR
  • OMP: omp:stable-3_3_0 PR
  • OPS: ops:stable-3_3_0 PR

Notes:

1. My investigation indicates that there are no breaking changes in the upgrades for jQuery, jQuery UI, and jQuery Validation.
2. In Composer, we updated the version of components/jquery and removed components/jqueryui since the newer version is not available through Composer. We then added jquery-ui and jquery-validate as custom repositories in Composer, sourcing them from npm registry tar files.
3. We copied these Composer repository installs to the existing paths for the mentioned dependencies, so changing the paths when adding these scripts in the frontend is NOT necessary for pkp:v3.3.0
4. Usage statistics that use Chart JS is not yet implemented in v3.3, so there's no need to do a version upgrade of this on the frontend.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[jonasraoni]

I think you might use existing code to copy the directory, it will also have better permission defaults:

import('lib.pkp.classes.file.FileManager');
$fileManager = new FileManager();
$fileManager->copyDir($source, $destiny);

[blesildaramirez]

Hi @jonasraoni , thanks for checking this. I tried to implement your suggestion, but I'm running to lots of issues with importing the FileManager. When I run the composer install, I'm getting lots of "not found" errors so I did something like this when testing the use of FileManager:

                require_once './includes/bootstrap.inc.php';
		require_once './tools/core/Core.inc.php';
		require_once './classes/core/Core.inc.php';
		require_once './classes/config/Config.inc.php';
		require_once './classes/file/FileManager.inc.php';
		$fileManager = new \FileManager();

Finally, I run to an issue where the constant "INDEX_FILE_LOCATION" is undefined. As I check, this is defined on the app level of OJS/OMP/OPS.

I noticed a comment from this file ComposerScript.php from the main branch, that we did not use "Core::getBaseDir()" because the script is being called directly by composer and that "INDEX_FILE_LOCATION" is expected to be undefined. Would you be able to provide further guidance on this? Thanks!

[jonasraoni]

This should probably work:

require_once './tools/bootstrap.inc.php';

import('lib.pkp.classes.file.FileManager');
$fileManager = new FileManager();
$fileManager->copyDir('source', 'destiny');

[blesildaramirez]

This worked, thank you! I updated the script to use FileManager, please check. Thanks!

[blesildaramirez]

Btw, I needed to update the FileManager file for 3.3 - specifically on the mkdir function:

I added this because when I re-run the composer install (with already copied files), I get an error from php saying:

Weirdly, I don't get this error on 3.4 so I didn't change the FileManager file for 3.4.

[jonasraoni]

To not cause side-effects, the return true; should be probably modified to return false;.
Or modified to return $this->setMode($dirPath, DIRECTORY_MODE_MASK); to honor the expectations of the caller.

[asmecher]

I actually think it would be better not to use FileManager, since this is code that's run upon Composer dependency installation, long before there's a config.inc.php configuration file. FileManager expects the OJS bootstrapping process to be present, and it won't be.

[blesildaramirez]

Thanks both, I updated the script to not use FileManager.

[jonasraoni]

I think it's better to let the code fail, it's important that the user get this working properly and a simple warning might be ignored.

[jonasraoni]

Can be removed if you use the FileManager.

[jonasraoni]

Can be removed if you use the FileManager.

[jonasraoni]

Not sure if this might cause compatibility issues, it sounds safer to leave the old value.

[jonasraoni]

There's a FileManager::copyFile() too, which will also setup permissions.

[jonasraoni]

Just tagging @asmecher to confirm if it's ok this breaking change, regarding the required permissions (https://docs.pkp.sfu.ca/admin-guide/en/troubleshooting#configuring-file-permissions).

[asmecher]

This script is run by Composer during dependency installation, not when OJS is installed and in production. For the most part, it'll be run from the package build script when I build a release, and for folks that host OJS from git it'll be run early in the installation process from the same terminal that's used to e.g. clone the code into place. I don't think the production file permission document is relevant. (This is also why I recommended not using FileManager -- it's intended for execution in the bootstrapped PKP environment, not elsewhere.)