The upstream package has been unmaintained for years, with dependencies
with long-reported security issues. Switching to a fork allows to resolve
all the security reports against the jQuery development environment.
The fork is maintained by @mgol and has the following changes:
1. The `underscore` dependency has been removed.
2. `sinon` has been updated from v1 to v19.
3. `mocha` has been updated from v2 to v10.
Changes to the source are minimal; it will be easy to rebase the fixes
if the upstream package is ever updated.
In addition to the above, the `q` dependency has been removed.
It's been added in gh-1996 but never really used.
Closes gh-5559
While Edge in IE mode is not guaranteed to match IE 11 in every aspect,
in practice it generally does. Testing in this mode in GitHub Actions
will allow us to catch most IE-breaking issues at the PR level.
This change also adds missing npm scripts: `test:chrome`, `test:edge`
& `test:ie`.
Closes gh-5540
- the date is actually the date of the commit *prior*
to the tag commit, as the files are built and then committed.
- also, the CDN should still be checked for non-stable releases,
and should use different filenames (including in the map files).
- certain files should be skipped when checking the CDN.
- removed file diffing because it ended up being far too noisy,
making it difficult to find the info I needed.
- because the build script required an addition, release
verification will not work until the next release.
- print all files in failure case and whether each matched
- avoid npm script log in GH release notes changelog
- exclude changelog.md from release:clean command
- separate the post-release script from release-it for now, so we
can keep manual verification before each push. The exact command is
printed at the ened for convenience.
Closes gh-5521
*Authors*
- Checking and updating authors has been migrated
to a custom script in the repo
*Changelog*
- changelogplease is no longer maintained
- generate changelog in markdown for GitHub releases
- generate changelog in HTML for blog posts
- generate contributors list in HTML for blog posts
*dist*
- clone dist repo, copy files, and commit/push
- commit tag with dist files on main branch;
remove dist files from main branch after release
*cdn*
- clone cdn repo, copy files, and commit/push
- create versioned and unversioned copies in cdn/
- generate md5 sums and archives for Google and MSFT
*build*
- implement reproducible builds and verify release builds
* uses the last modified date for the latest commit
* See https://reproducible-builds.org/
- the verify workflow also ensures all files were
properly published to the CDN and npm
*docs*
- the new release workflow is documented at build/release/README.md
*misc*
- now that we don't need the jquery-release script and
now that we no longer need to build on Node 10, we can
use ESM in all files in the build folder
- move dist wrappers to "wrappers" folders for easy removal
of all built files
- limit certain workflows to the main repo (not forks)
- version in package.json has been set to beta.1 so that
the next release will be beta.2
- release-it added the `preReleaseBase` option and we
now always set it to `1` in the npm script. This is
a noop for stable releases.
Fixesjquery/jquery-release#114
Closes gh-5512
We cannot pass a single file via the `module` condition as then
`require( "jquery" )` will not return jQuery but instead the module object
with `default`, `$` & `jQuery` as keys. Instead:
1. For Node.js, detected via the `node` condition:
1. Expose a regular CommonJS version to `require`
2. Expose a tiny wrapper over CommonJS to `import`
2. For bundlers, detected via the `module` condition:
1. Expose a regular ESM version to `import`
2. Expose a tiny wrapper over ESM to `require`
3. If neither Node.js nor bundlers are detected (no `node` or `module`
conditions`):
1. Expose a regular CommonJS version to `require`
2. Expose a regular ESM version to `import`
The reasons for such definitions are as follows:
1. In Node.js, one can synchronously import from a CommonJS file inside of
an ESM one but not vice-versa. To use an ESM file in a CommonJS one,
a dynamic import is required and that forces asynchronicity.
2. In some bundlers CommonJS is not necessarily enabled - e.g. in Rollup without
the CommonJS plugin. Therefore, the ESM version needs to be pure ESM.
However, bundlers allow synchronously calling `require` on an ESM file. This
is possible since bundlers merge the files before they are passed to
the browser to execute and the final bundles no longer contain async import
code.
3. Bare ESM & CommonJS versions are provided to non-Node non-bundler
environments where we cannot assume interoperability between ESM & CommonJS
is supported.
4. Bare versions cannot be supplied to Node or bundlers as projects using both
ESM & CommonJS to fetch jQuery would result in duplicate jQuery instances,
leading to increased JS size and disjoint data storage.
In addition to the above changes, the `script` condition has been dropped. Only
Webpack documents this condition and it's not clear when exactly it's triggered.
Adding support for a new condition can be added later without a breaking change;
removing is not so easy.
The `production` & `development` conditions have been removed as well. They were
not really applied correctly; we'd need to provide both of them to each current
leaf which would double the size of the definition for the `.` & `./slim` entry
points. In jQuery, the only difference between development & production builds
is minification; there are no logic changes so we can pass unminified versions
to all the tooling, expecting minification down the line.
As for the factory entry points:
1. Node.js always gets the CommonJS version
2. Bundlers always get the ESM version
3. Other tools take the ESM version when using `import` and the CommonJS when
using `require`.
The complexity is lower than for the `.` & `./slim` entry points because there's
no default export to handle so Node/bundler wrapper files are not necessary.
Other changes:
* Tests: Change "node:assert" to "node:assert/strict"; the former is deprecated
* Docs: Mention that the CommonJS module doesn't expose named exports
* Tests: Run Node & bundler tests for all the above cases
Fixes gh-5416
Closes gh-5429
- reuse BrowserStack workers.
- add support for "latest" and "latest-1" in browser version filters
- add support for specifying non-final browser versions, such as beta versions
- more accurate eslint for files in test/runner
- switched `--no-isolate` command flag to `--isolate`. Now that browser instances are shared, it made more sense to me to default to no isolation unless specified. This turned out to be cleaner because the only place we isolate is in browserstack.yml.
- fixed an issue with retries where it wasn't always waiting for the retried test run
- enable strict mode in test yargs command
This is a complete rework of our testing infrastructure. The main goal is to modernize and drop deprecated or undermaintained dependencies (specifically, grunt, karma, and testswarm). We've achieved that by limiting our dependency list to ones that are unlikely to drop support any time soon. The new dependency list includes:
- `qunit` (our trusty unit testing library)
- `selenium-webdriver` (for spinning up local browsers)
- `express` (for starting a test server and adding middleware)
- express middleware includes uses of `body-parser` and `raw-body`
- `yargs` (for constructing a CLI with pretty help text)
- BrowserStack (for running each of our QUnit modules separately in all of our supported browsers)
- `browserstack-local` (for opening a local tunnel. This is the same package still currently used in the new Browserstack SDK)
- We are not using any other BrowserStack library. The newest BrowserStack SDK does not fit our needs (and isn't open source). Existing libraries, such as `node-browserstack` or `browserstack-runner`, either do not quite fit our needs, are under-maintained and out-of-date, or are not robust enough to meet all of our requirements. We instead call the [BrowserStack REST API](https://github.com/browserstack/api) directly.
## BrowserStack Runner
- automatically retries individual modules in case of test failure(s)
- automatically attempts to re-establish broken tunnels
- automatically refreshes the page in case a test run has stalled
- runs all browsers concurrently and uses as many sessions as are available under the BrowserStack plan. It will wait for available sessions if there are none.
- supports filtering the available list of browsers by browser name, browser version, device, OS, and OS version (see `npm run test:unit -- --list-browsers` for more info). It will retrieve the latest matching browser available if any of those parameters are not specified.
- cleans up after itself (closes the local tunnel, stops the test server, etc.)
- Requires `BROWSERSTACK_USERNAME` and `BROWSERSTACK_ACCESS_KEY` environment variables.
## Selenium Runner
- supports running any local browser as long as the driver is installed, including support for headless mode in Chrome, FF, and Edge
- supports running `basic` tests on the latest [jsdom](https://github.com/jsdom/jsdom#readme), which can be seen in action in this PR (see `test:browserless`)
- Node tests will run as before in PRs and all non-dependabot branches, but now includes tests on real Safari in a GH actions macos image instead of playwright-webkit.
- can run multiple browsers and multiple modules concurrently
Other notes:
- Stale dependencies have been removed and all remaining dependencies have been upgraded with a few exceptions:
- `sinon`: stopped supporting IE in version 10. But, `sinon` has been updated to 9.x.
- `husky`: latest does not support Node 10 and runs on `npm install`. Needed for now until git builds are migrated to GitHub Actions.
- `rollup`: latest does not support Node 10. Needed for now until git builds are migrated to GitHub Actions.
- BrowserStack tests are set to run on each `main` branch commit
- `debug` mode leaves Selenium browsers open whether they pass or fail and leaves browsers with test failures open on BrowserStack. The latter is to avoid leaving open too many sessions.
- This PR includes a workflow to dispatch BrowserStack runs on-demand
- The Node version used for most workflow tests has been upgraded to 20.x
- updated supportjQuery to 3.7.1
Run `npm run test:unit -- --help` for CLI documentation
Close gh-5418
Build was already happening in scripts like `test:browser` but those scripts
were missing `pretest`, meaning that running `npm install && npm test:browser`
may have failed if `pretest` wasn't run before or if its results were out of
date.
Even worse, with such stale data some tests may erroneously succeed.
This also removes a separate `pretest` step from GitHub Actions as it's no
longer needed.
Closes gh-5338
Since versions 1.11.0/2.1.0, jQuery has used a module wrapper with one strange
addition - in CommonJS environments, if a global `window` with a `document` was
not present, jQuery exported a factory accepting a `window` implementation and
returning jQuery.
This approach created a number of problems:
1. Properly typing jQuery would be a nightmare as the exported value depends on
the environment. In practice, typing definitions ignored the factory case.
2. Since we now use named exports for the jQuery module version, it felt weird
to have `jQuery` and `$` pointing to the factory instead of real jQuery.
Instead, for jQuery 4.0 we leverage the just added `exports` field in
`package.json` to expose completely separate factory entry points: one for the
full build, one for the slim one.
Exports definitions for `./factory` & `./factory-slim` are simpler than for `.`
and `./slim` - this is because it's a new entry point, we only expose a named
export and so there's no issue with just pointing Node.js to the CommonJS
version (we cannot use the module version for `import` from Node.js to avoid
double package hazard). The factory entry points are also not meant for the Web
browser which always has a proper `window` - and they'd be unfit for an
inclusion in a regular script tag anyway. Because of that, we also don't
generate minified versions of these entry points.
The factory files are not pushed to the CDN since they are mostly aimed
at Node.js.
Closes gh-5293
Updated tasks include:
- lint
- npmcopy
- build, minify, and process for distribution.
- new custom build command using yargs
- compare size of minified/gzip built files
- pretest scripts, including qunit-fixture, babel transpilation, and npmcopy
- node smoke tests
- promises aplus tests
- new watch task using `rollup.watch` directly
Also:
- upgraded husky and added the new lint command
- updated lint config to use new "flat" config format. See https://eslint.org/docs/latest/use/configure/configuration-files-new
- Temporarily disabled one lint rule until flat config is supported by eslint-plugin-import. See https://github.com/import-js/eslint-plugin-import/issues/2556
- committed package-lock.json
- updated all test scripts to use the new build
- added an express test server that uses middleware-mockserver (this can be used to run tests without karma)
- build-all-variants is now build:all
Close gh-5318
Summary of the changes:
* define the `exports` field in `package.json`; `jQuery` & `$` are also
exported as named exports in ESM builds now
* declare `"type": "module"` globally except for the `build` folder
* add the `--esm` option to `grunt custom`, generating jQuery as an ECMAScript
module into the `dist-module` folder
* expand `node_smoke_tests` to test the slim & ESM builds and their various
combinations; also, test both jQuery loaded via a path to the file as well
as from module specifiers that should be parsed via the `exports` feature
* add details about ESM usage to the release package README
* run `compare_size` on all built minified files; don't run it anymore on
unminified files where they don't provide lots of value
* remove the remove_map_comment task; SWC doesn't insert the
`//# sourceMappingURL=` pragma by default so there's nothing to strip
Fixes gh-4592
Closes gh-5255
Bootstrap 5 includes the following CSS on the page:
```css
*,
*::before,
*::after {
box-sizing: border-box;
}
```
That threw our `reliableTrDimensions` support test off. This change fixes the
support test and adds a unit test ensuring support test values on a page
including Bootstrap 5 CSS are the same as on a page without it.
Fixes gh-5270
Closes gh-5278
Ref gh-5279
With this change, jQuery build no longer generates the `amd` directory with
AMD modules transpiled from source `src` ECMAScript Modules. To use individual
jQuery modules from source, ESM is now required.
Note that this DOES NOT affect the main `"jquery"` AMD module defined by built
jQuery files; those remain supported.
Closes gh-5276
UglifyJS is ES5-only, while Terser supports newer ECMAScript versions. jQuery
is authored in ES5 but jQuery 4.x will also have an ESM build that cannot be
minified using UglifyJS directly.
We could strip the `export` statement, minify via UglifyJS and re-add one but
that increases complexity & may not fully play nice with source maps.
On the other hand, switching to Terser increases the minfied size by just 324
bytes and the minified gzipped one by just 70 bytes. Such differences largely
disappear among bigger size gains from the `3.x-stable` line - around 2.7 KB
minified gzipped as of now.
Closes gh-5258
`CSS.supports( "selector(...)" )` has different semantics than selectors passed
to `querySelectorAll`. Apart from the fact that the former returns `false` for
unrecognized selectors and the latter throws, `qSA` is more forgiving and
accepts some invalid selectors, auto-correcting them where needed - for
example, mismatched brackers are auto-closed. This behavior difference is
breaking for many users.
To add to that, a recent CSSWG resolution made `:is()` & `:where()` the only
pseudos with forgiving parsing; browsers are in the process of making `:has()`
parsing unforgiving.
Taking all that into account, we go back to our previous try-catch approach
without relying on `CSS.supports( "selector(...)" )`. The only difference
is we detect forgiving parsing in `:has()` and mark the selector as buggy.
The PR also updates `playwright-webkit` so that we test against a version
of WebKit that already has non-forgiving `:has()`.
Fixes gh-5194
Closes gh-5206
Ref gh-5098
Ref gh-5107
Ref w3c/csswg-drafts#7676
Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Two changes have been applied:
* prefilters are now applied before data is converted to a string;
this allows prefilters to disable such a conversion
* a prefilter for binary data is added; it disables data conversion
for non-string non-plain-object `data`; for `FormData` bodies, it
removes manually-set `Content-Type` header - this is required
as browsers need to append their own boundary to the header
Ref gh-4150
Closes gh-5197
So far, we've been running browser tests on GitHub Actions in Chrome
and Firefox. Regular Safari is not available in GitHub Actions but
Playwright WebKit comes close to a dev version of Safari.
With this change, our GitHub CI & local test runs will invoke tests on
all actively developed browser engines on all PRs.
Also, our GitHub Actions browser tests are now running on Node.js 18.
Detection of the Playwright WebKit browser in support unit tests is done
by checking if the `test_browser` query parameter is set to `"Playwright"`;
this is a `karma-webkit-launcher` feature. Detecting that browser via
user agent as we normally do is hard as the UA on Linux is very similar
to a real Safari one but it actually uses a newer version of the engine.
In addition, we now allow to pass custom browsers when one needs it;
e.g., to run the tests in all three engines on Linux/macOS, run:
```
grunt && BROWSERS=ChromeHeadless,FirefoxHeadless,WebkitHeadless grunt karma:main
```
Closes gh-5190
Re-introduce the `selector-native` similar to the one on the `3.x-stable`
branch. One difference is since the `main` branch inlined Sizzle, some
selector utils can be shared between the main `selector` module and
`selector-native`.
The main `selector` module can be disabled in favor of `selector-native`
via:
grunt custom:-selector
Other changes:
* Tests: Fix Safari detection - Chrome Headless has a different user
agent than Safari and a browser check in selector tests didn't take
that into account.
* Tests: Run selector-native tests in `npm test`
* Selector: Fix querying on document fragments
Ref gh-4395
Closes gh-5085
This adds testing on Node.js 17 in addition to the currently tested 10, 12, 14
and 16 versions.
Also, update Grunt & `karma-*` packages.
Testing in Karma on jsdom is broken in Node 17 at the moment; until we find
a fix, this change disables such testing on Node 17 or newer.
Node smoke tests & promises aplus tests are disabled on Node.js 10 as they
depend on jsdom and the latest jsdom version doesn't run properly on Node 10.
Closes gh-5023
Latest `main` started failing the build after some transitive dependencies
got updated, incorrectly recognizing some files with default exports as unused.
Since the new ESLint no longer supports Node 10 which we have to build on due
to use in our CI, skip ESLint in Node 10.
Ref gh-3225
Closes gh-4961
In gh-4466, we removed the `external` directory in favor of loading some files
directly from `node_modules`. This works fine locally but when deploying code
for tests, this makes it impossible to not deploy `node_modules` as well. To
avoid the issue, this change restores usage of the `external` directory.
One change is that we no longer commit this directory to the repository, its
only purpose is to have clear isolation from `node_modules`.
Ref gh-4466
Closess gh-4865
This also resolves a security warning from GitHub about a vulnerable `request`
version - the new `testswarm` package version depends on a fixed `request`.
Closes gh-4732
This commit fixes unit tests for the following builds:
1. The no-deprecated build: `custom:-deprecated`
2. The current slim build: `custom:-ajax,-effects`
3. The future (#4553) slim build: `custom:-ajax,-callbacks,-deferred,-effects`
It also adds separate Travis jobs for the no-deprecated & slim builds.
Closes gh-4577
