I have a pretty old app written in Meteor 2.7.1 with Iron Router and blaze templates.
Works fine, but I’m constantly having problems with security scans performed by companies, because there is a ancient jQuery version forced on me somewhere even though I’m using 3.7.0 installed by NPM.
But security scans don’t care, they see the 1.12.1 version in the bundle and thats a big problem.
I tried various solutions I found on the internet:
Add firstname.lastname@example.org.! to .meteor/packages, but it results in an error anyway:
But this doesn’t work at all, meteor fails to start because jQuery is undefined everywhere, even though I import it at the first line of main.js. So stuff that happens before my code even starts, wants jQuery too and cannot get it. I thought about re-exporting jQuery from the package.js but there’s no way to use import or require and adding Npm.depends didn’t help.
The best I could do, was to include the jquery.min.js file manually (api.mainModule('jquery.min.js','client');) in the local package, which kinda worked.
BUT, any NPM modules that tried to require('jquery') now don’t work and cause an unresolved module warnings:
Unable to resolve some modules:
"jquery" in /projects/test/node_modules/select2/dist/js/select2.js (web.browser)
Is there a chance that you can update your Meteor version and get newer Blaze and other packages?
If possible, maybe try updating to flow router (which would be helpful to you in the long run anyway):
Since you are have jquery@3 at the top level and the other packages can have both versions it should take the highest option.
It is really important to determine where the old jQuery is coming from. I would look on other packages if they are not importing their own version of jQuery regardless of what the Meteor package. With some old packages it wouldn’t surprise me if there wouldn’t be a package somewhere that gets jQuery independently.
Looking at the package tree, it is iron:location and iron:dynamic-template which depends on email@example.com so basically it’s Iron Routers fault.
I could move to Flow Router, but this requires a complete re-write from my side as the two aren’t really interchangeable.
I’m pretty sure there isn’t anything special about jquery 1.11.11 that Iron Router wouldn’t work with on jquery 3.7.0.
I have checked these packages, and they don’t mention the jQuery version anywhere:
This bounds the jQuery version to what it was in Meteor 0.9.2 (or at the very least prevents the major version upgrade). So if you copy these packages locally (or find at least a bit up to date alternatives) and increase the Meteor version to 1.8.3 then that should take care of it.
Potential other issues I see with increasing the Meteor version on these packages:
Package.on_use should be Package.onUse
If I recall correctly the ui package has been deprecated, but hopefully this should not impact you here.
Oh, I didn’t think api.versionsFrom imposes any specific version constraints I thought it just tells meteor whats the minimum compatible Meteor version for this package.
I have managed to work around this temporarily by overriding the jquery package using local one and moving select2 from npm to another local package so it’s not causing unresolved module errors anymore. Seems to be working fine.