[Chore]Update jQuery from v2.1.4 to v3.7.1 to address security vulnerabilities.

[vanshika2720]

Summary

Update jQuery from v2.1.4 to v3.7.1 to address security vulnerabilities.

Parent Issue

Closes part of #5364 #5369 (Remaining Dependency Updates)

Current State

• Current Version: jQuery 2.1.4 (loaded in index.html)
• Target Version: jQuery 3.7.1 (already present in lib/ directory)
• Security Status: ⚠️ jQuery 2.x has known security vulnerabilities
• Blocker: Search functionality depends on synchronous jQuery loading

Security Vulnerabilities (jQuery 2.x)

jQuery 2.1.4 has multiple known CVEs:

• CVE-2020-11022 - Cross-site scripting (XSS) vulnerability
• CVE-2020-11023 - XSS in HTML manipulation methods
• CVE-2015-9251 - XSS via $.ajax()

Severity: Medium to High

Implementation Plan

Phase 1: Update index.html

Locate the jQuery script tag in index.html:

Before:

<script src="lib/jquery-2.1.4.min.js"></script>

After:

<script src="lib/jquery-3.7.1.min.js"></script>

Critical: Keep synchronous loading (no defer or async attributes).

Phase 2: Verify jQuery 3.7.1 File Exists

ls -lh lib/jquery-3.7.1.min.js

Expected: File should already exist in the lib/ directory.

Phase 3: Testing Strategy

Automated Tests

npm test

Ensure all Jest tests pass, especially those involving DOM manipulation.

Manual Testing Checklist

• Search Functionality

  • Open Music Blocks in browser
  • Use the search feature
  • Verify search results appear correctly
  • Test search with various queries

• UI Interactions

  • Test all jQuery-dependent UI elements
  • Verify modals/dialogs work
  • Check drag-and-drop functionality
  • Test block palette interactions

• AJAX Requests

  • Verify project loading works
  • Test saving functionality
  • Check any API calls

• Browser Compatibility

  • Chrome/Chromium
  • Firefox
  • Safari
  • Edge

Phase 4: Regression Testing

Focus on areas that previously broke (issues #4955, #4987):

• Search timing issues
• jQuery initialization order
• DOM ready events

Why Synchronous Loading?

Historical Context: Previous attempts to defer jQuery loading (#4955, #4987) broke the search functionality. The issue was resolved by reverting to synchronous loading.

Root Cause: Some code depends on jQuery being available immediately when subsequent scripts run.

Solution: Keep synchronous loading to maintain compatibility.

Breaking Changes in jQuery 3.x

Removed Features (that we might use):

1. .size() → Use .length instead
2. .andSelf() → Use .addBack() instead
3. .bind() / .unbind() → Use .on() / .off() instead
4. .delegate() / .undelegate() → Use .on() / .off() instead

Changed Behavior:

1. .show() / .hide() / .toggle() - Respect CSS display values more strictly
2. .data() - More consistent type conversion
3. AJAX - Stricter JSON parsing

Migration Checklist

• Update script tag in index.html
• Run automated tests (npm test)
• Manual search functionality testing
• Test all jQuery-dependent features
• Cross-browser testing
• Performance verification (no slowdowns)
• Check browser console for deprecation warnings

Rollback Plan

If issues arise:

<!-- Revert to: -->
<script src="lib/jquery-2.1.4.min.js"></script>

Document any specific incompatibilities found for future resolution.

Files Modified

• index.html - Update jQuery script source

Benefits

• ✅ Fixes known security vulnerabilities (CVE-2020-11022, CVE-2020-11023, CVE-2015-9251)
• ✅ Better performance
• ✅ Improved browser compatibility
• ✅ Modern API improvements
• ✅ Active maintenance and support

Risks & Mitigation

Risk	Likelihood	Impact	Mitigation
Search breaks	Low	High	Thorough manual testing before merge
Deprecated API usage	Medium	Medium	Check console for warnings
Timing issues	Low	Medium	Keep synchronous loading
Browser compatibility	Low	Low	Test on all major browsers

References

• jQuery 3.x Upgrade Guide
• jQuery 3.7.1 Release Notes
• Security Advisories
• Previous related issues: Restore non-deferred jQuery to unblock search #4955, deferring jquery breaks search #4987

Contributor

@vanshika2720

---

Note for Reviewers: This is primarily a security update. The main risk is search functionality, which requires thorough manual testing before approval.

Checklist

• I have read and followed the project's code of conduct.
• I have searched for similar issues before creating this one.
• I have provided all the necessary information to understand and reproduce the issue.
• I am willing to contribute to the resolution of this issue.

---

Thank you for contributing to our project! We appreciate your help in improving it.

📚 See contributing instructions.

🙋🏾🙋🏼 Questions: Community Matrix Server.

[walterbender]

It is important to test the Search functionality after this update of JQuery as it has broken in the past with JQuery updates.

[vanshika2720]

Hi @walterbender,

I've verified the jQuery 3.7.1 update. I manually tested the Search functionality in the Planet tool and confirmed there are no console errors or regressions.

Additionally, I fixed the HTML syntax errors in
planet/index.html
and linting issues in
js/utils/utils.js
that were blocking the CI. The branch is now synced with master and all checks are passing. Ready for review!