Upgrade to jQuery 1.12.4, addressing security warning from GitHub

[thomthom]

Description

We host our generated docs on GitHub via GitHub pages. Via GitHub's security warnings we started seeing this recent:

We can patch this on our end, but we figured it was better to try to patch upstream.

However, jQuery 1.9 removed a number of functions which caused rendering issues:

This PR upgrades jQuery to the latest 1.x version; 1.12.4 along with the jQuery Migration plugin. The migration plugin ensures that YARD renders correctly again.

This does add another HTTP request to be made. If that's a concern we could merge jQuery and the Migration plugin into a single file.

Related discussion:

#1298 (comment)

Completed Tasks

• I have read the Contributing Guide.
• The pull request is complete (implemented / written).
• Git commits have been cleaned up (squash WIP / revert commits).
• I wrote tests and ran bundle exec rake locally (if code is attached to PR).

[thomthom]

Ah, I checked the issues list first, but I didn't check the open PRs. I see now that there is #1351 that also addresses this.

[coveralls]

Coverage decreased (-0.02%) to 93.416% when pulling 2e093bf on thomthom:dev/jquery-upgrade into 2b16190 on lsegal:main.

[lsegal]

@thomthom I actually like this as a solution that uses jquery-migrate to handle the deprecated APIs. Did you verify that all pages load correctly with this version?

[thomthom]

I didn't check the guide template. That is a template I haven't noticed before.

But for the default template it seemed to work well. I tested the front page (README) along with class/module pages, additional pages, search.

I've put the fix into our custom YARD template (https://github.com/SketchUp/sketchup-yard-template) and we'll soon be publishing with these fixes applied locally to our doc builds.

If you want, I can zip up a copy of the YARD doc output from that branch if you (or anyone else) wish to have a look for review.

Btw, does YARD itself use the guide template? Or any project you are aware of that uses it that can be easily tested?

[thomthom]

Here are builds of the YARD docs and the YARD guide using a build from this PR branch.

• doc.zip
• doc_guide.zip

[thomthom]

Btw, I saw warning from YARD when building the guide, not sure if that's related to how in invoked the build?

C:\Users\Thomas\SourceTree\yard>ruby bin\yard --yardopts .yardopts_guide 
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.tag
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
[warn]: Unknown tag @yard.signature
[warn]: Unknown tag @yard.directive
Files:         184
Modules:        49 (    7 undocumented)
Classes:       218 (   49 undocumented)
Constants:     101 (   41 undocumented)
Attributes:    189 (    0 undocumented)
Methods:       971 (  165 undocumented)
 82.85% documented

[noraj]

Updating to 1.12.4 is nearly useless since 4 vulnerabilities will remain out of the 6 vulnerabilities present in 1.7.1.

I know it as already be downgraded (3.4.1 back to 1.7.1) because breaking changes were not taken into account https://github.com/lsegal/yard/pull/1298/files.

Dependabot security alerts are sent to many project using yard:

The only versions with zero vulnerabilities now are 3.5.x and 3.6.x.

[trivikr]

Thank you @thomthom for posting this PR.
I used it as a reference as posted new PR for bumping jQuery to latest v3.6.0 without having to add jquery-migrate in #1397

Can you provide your feedback there?