How to get rid of this effing ancient jQuery version in the bundle

j3455 · August 24, 2023, 8:29am

I have a pretty old app written in Meteor 2.7.1 with Iron Router and blaze templates.

Works fine, but I’m constantly having problems with security scans performed by companies, because there is a ancient jQuery version forced on me somewhere even though I’m using 3.7.0 installed by NPM.
But security scans don’t care, they see the 1.12.1 version in the bundle and thats a big problem.

I tried various solutions I found on the internet:

Add jquery@3.0.0.! to .meteor/packages, but it results in an error anyway:

   While selecting package versions:
   error: Potentially incompatible change required to top-level dependency: jquery 3.0.0, was 1.11.11.
   Constraints on package "jquery":
   * jquery@3.0.0 <- top level
   * jquery@1.11.9 || 3.0.0 <- blaze 2.5.0 <- blaze-html-templates 1.2.1
   * jquery@1.11.9 || 3.0.0 <- iron:dynamic-template 1.1.0 <- iron:controller 1.1.0 <- iron:router 1.2.0
   * jquery@1.11.9 || 3.0.0 <- iron:location 1.1.0 <- iron:router 1.2.0

Some guy suggested creating a local jquery package which just defines the package and nothing more, so only npm version lands in the bundle:

Package.describe({name:'jquery', version:'1.11.11'});

But this doesn’t work at all, meteor fails to start because jQuery is undefined everywhere, even though I import it at the first line of main.js. So stuff that happens before my code even starts, wants jQuery too and cannot get it. I thought about re-exporting jQuery from the package.js but there’s no way to use import or require and adding Npm.depends didn’t help.
The best I could do, was to include the jquery.min.js file manually (api.mainModule('jquery.min.js','client');) in the local package, which kinda worked.
BUT, any NPM modules that tried to require('jquery') now don’t work and cause an unresolved module warnings:

Unable to resolve some modules:

  "jquery" in /projects/test/node_modules/select2/dist/js/select2.js (web.browser)

Please help me with this madness

storyteller · August 24, 2023, 10:55am

Is there a chance that you can update your Meteor version and get newer Blaze and other packages?

If possible, maybe try updating to flow router (which would be helpful to you in the long run anyway):

Since you are have jquery@3 at the top level and the other packages can have both versions it should take the highest option.

It is really important to determine where the old jQuery is coming from. I would look on other packages if they are not importing their own version of jQuery regardless of what the Meteor package. With some old packages it wouldn’t surprise me if there wouldn’t be a package somewhere that gets jQuery independently.

j3455 · August 24, 2023, 12:50pm

AFAIK the legacy build issue is still a thing: Legacy build stopped working in IE 11 after 2.8.0 update · Issue #12301 · meteor/meteor · GitHub and bounds me to <2.8 because I need at least partial compatibility with old browsers.

Looking at the package tree, it is iron:location and iron:dynamic-template which depends on jquery@1.11.1 so basically it’s Iron Routers fault.
I could move to Flow Router, but this requires a complete re-write from my side as the two aren’t really interchangeable.
I’m pretty sure there isn’t anything special about jquery 1.11.11 that Iron Router wouldn’t work with on jquery 3.7.0.
I have checked these packages, and they don’t mention the jQuery version anywhere:

github.com

iron-meteor/iron-location/blob/master/package.js

Package.describe({
  name: 'iron:location',
  summary: 'Reactive urls that work in IE8/9 and modern browsers.',
  version: '1.0.11',
  git: 'https://github.com/eventedmind/iron-location.git'
});

Package.on_use(function (api) {
  api.versionsFrom('METEOR@0.9.2');

  api.use('underscore');
  api.use('tracker');
  api.use('jquery');

  api.use('iron:core@1.0.11');
  api.imply('iron:core');

  api.use('iron:url@1.0.11');

  api.use('appcache', {weak: true});

This file has been truncated. show original

github.com

iron-meteor/iron-dynamic-template/blob/master/package.js

Package.describe({
  summary: 'Dynamically create and update templates and their data contexts.',
  version: "1.0.8",
  git: "https://github.com/eventedmind/iron-dynamic-template"
});

Package.on_use(function (api) {
  api.versionsFrom('METEOR@0.9.2');

  api.use('blaze');
  api.use('underscore');
  api.use('ui');
  api.use('jquery');
  api.use('tracker');
  api.use('reactive-var');
  api.use('templating');
  api.use('random');

  api.use('iron:core@1.0.8');
  api.imply('iron:core');

This file has been truncated. show original

They only do api.use('jquery'); so where does this 1.11.11 constraint come from?
Looking here: Update dependencies and publish · meteor/blaze@d907a3c · GitHub

It is blaze 2.5 which forces this ugly ass ancient rome jQuery version. Jquery isn’t even listed as blaze’s dependency in meteor list --tree though…

storyteller · August 25, 2023, 10:18am

The key for you in these packages is this line:

api.versionsFrom('METEOR@0.9.2');

This bounds the jQuery version to what it was in Meteor 0.9.2 (or at the very least prevents the major version upgrade). So if you copy these packages locally (or find at least a bit up to date alternatives) and increase the Meteor version to 1.8.3 then that should take care of it.

Potential other issues I see with increasing the Meteor version on these packages:

Package.on_use should be Package.onUse
If I recall correctly the ui package has been deprecated, but hopefully this should not impact you here.

j3455 · August 25, 2023, 10:30am

Oh, I didn’t think api.versionsFrom imposes any specific version constraints I thought it just tells meteor whats the minimum compatible Meteor version for this package.

I have managed to work around this temporarily by overriding the jquery package using local one and moving select2 from npm to another local package so it’s not causing unresolved module errors anymore. Seems to be working fine.