Projects

QUnit 1.16 Release and Roadmap

Posted on by

We’ve just released QUnit 1.16, an important milestone for the project. This release introduces several new APIs that will become the default in QUnit 2.0. To help migrate to these APIs, you can start using them today in 1.16. Our 2.x upgrade guide provides all the details you need to change your existing test suite to the new APIs.

Here’s a quick overview of the new APIs:

QUnit.test( "assert.async() test", function( assert ) {
  var done = assert.async();
  var input = $( "#test-input" ).focus();
  setTimeout(function() {
    assert.equal( document.activeElement, input[0], "Input was focused" );
    done();
  });
});

You still define tests by calling QUnit.test and passing a name and a callback. The callback receives a assert argument that contains all assertion methods. The assert.async() method is brand new, replacing the old stop() method. The returned callback, here named done is later called when the test is finished, replacing the old start() method.

In addition, QUnit 1.16 contains several improvements and new features:

  • Promise support: As an enhancement for the async control, test blocks are now Promise aware, meaning QUnit will wait for the test to resolve with the pass or fail statement.
  • QUnit asynchronous tests can also now be defined using the new var done = assert.async() method instead of the old stop()/start(), making them specific to the test block.
  • QUnit.skip: This method can be used to define tests that aren’t executed, as placeholders or to temporarily disable an existing test (instead of commenting it out). The skipped test is still displayed in the HTML reporter, marked prominently as “SKIPPED”.
  • testId URL parameter: When clicking the “Rerun” link for a single test, a hash of the test name is now used to reference the test, called testId, instead of the previous testNumber. Using a hash makes sure that the order of tests can change, and QUnit will still rerun the same test you’ve selected before.
  • CommonJS exports: QUnit now also looks for a exports object and uses that to export itself, making QUnit usable on Rhino with the -require option.
  • There are a few more minor changes. For a full list, check out the changelog.

Roadmap

For future releases, we have several improvements planned as well:

Standardized reporter interface

Currently integration of any unit testing library into other tools like PhantomJS or browserstack-runner or Karma requires custom integration code, a combination of library and tools. We’ve started an effort to create a standard reporter interface that all testing libraries could implement, called js-reporters, to be consumed by those tools. Coordinating between the various projects and getting them to agree on and implement a common API takes time, but will yield better testing infrastructure for everyone.

Better diff output

When writing unit tests that compare objects with deep structures or many properties, like Ember models or Moment instances, the current diff output is slow and inefficient. There are also comparisons where the diff is hard to read. Replacing the diff library and implementing custom optimizations, like only showing diffs for leafs in big objects, will make QUnit’s HTML reporter even more developer friendly. We have a list of all diff-related issues.

Better support for writing custom assertions

Custom assertions are a powerful method of abstraction in test suites. They are currently underused. We want to investigate better APIs for writing custom assertions, along with better documentation of existing and new APIs.

Support for nested modules

Nesting modules, like Jasmine and Mocha support it, gives more flexibility in structuring test suites. There is existing discussion and prototypes, but no consensus on the API, yet.

For any breaking changes, we’ll apply the same migration model that we’re currently using. All backwards compatible changes will make it into the next minor release, any incompatible changes will be introduced with a migration layer in a minor release, removing the migration layer in the next major release.

The QUnit Team

The QUnit team also would like to use this opportunity to introduce itself:

At the jQuery Conference in Chicago, September 2014, from left to right: Jörn Zaefferer, Timo “Krinkle” Tijhof, James M. Greene, and Leonardo Balter

 

jQuery

jQuery 3.0: The Next Generations

Posted on by

It’s hard to believe it’s been nearly eight years since jQuery was released. Web development has changed a lot over the years, and jQuery has changed along with it. Through all of this time, the team has tried to walk the line between maintaining compatibility with code from the past versus supporting the best web development practices of the present.

One of those best practices is semantic versioning, or semver for short. In a practical sense, semver gives developers (and build tools) an idea of the risk involved in moving to a new version of software. Version numbers are in the form of MAJOR.MINOR.PATCH with each of the three components being an integer. In semver, if the MAJOR number changes it indicates there are breaking changes in the API and thus developers need to beware.

The concept of versioning gets a little more nuanced with jQuery, where browser compatibility can be just as important as API compatibility. In order to create a slimmer jQuery, the team started shipping two versions in 2013. The first version remained numbered in the 1.x line and, currently at 1.11.1, maintains compatibility with a maximal number of browsers. The second version, starting with 2.0.0 and now at 2.1.1, dropped support for browsers like IE8 or lower in order to streamline the code. Both the 1.x and 2.x versions of jQuery have the same public APIs, even though they differ somewhat in their internal implementations.

Our next releases will use a different nomenclature. As before, there will be two different released files. The successor to what is now version 1.11.1 will become jQuery Compat 3.0. The successor to jQuery 2.1.1 will be jQuery 3.0. There are two different packages on npm and Bower, but they share the same version to indicate they have the same API behavior.

We’ll also be re-aligning our policy for browser support starting with these releases. The main jQuery package remains small and tight by supporting the evergreen browsers (the current and previous versions of a specific browser) that are common at the time of its release. We may support additional browsers in this package based on market share. The jQuery Compat package offers much wider browser support, but at the expense of a larger file size and potentially lower performance.

Despite the big version number jump, we don’t anticipate a lot of migration issues for most current jQuery code. We’re just being good semver citizens with this version bump. Changes such as removing deprecated methods will be detected by a new version of the jQuery Migrate plugin to make them easy to find and fix. We’ll have more details on the changes in future blog posts.

So, here’s the TL;DR for version 3.0 of the jQuery API:

  • If you need support for the widest variety of browsers including IE8, Opera 12, Safari 5, and the like, use the jQuery-Compat 3.0.0 package. We recommend this version for most web sites, since it provides the best compatibility for all website visitors.
  • If your web site is built only for evergreen leading-edge browsers, or is an HTML-based app contained in a webview (for example PhoneGap or Cordova) where you know which browser engines are in use, go for the jQuery 3.0.0 package.
  • Until we announce otherwise, both packages will contain the same public APIs in correspondingly-numbered major and minor versions. This should make it easy for developers to switch between the two and be maximally compatible with third-party jQuery plugins.

With each future release, we’ll be making both packages available on npm and bower. Both packages will also be available as single-file builds on the jQuery CDN. Using them from there is as simple as including either jquery-compat-3.0.0.js or jquery-3.0.0.js depending on your needs. We’ve talked with the folks who run Google’s CDN and they will also be supporting both packages.

As we make further progress on version 3.0, we will update everyone with the details about code changes, supported browsers, and the like. Stay tuned!

Projects

jQuery Foundation Adopts Mousewheel Plugin

Posted on by

The jQuery Foundation is pleased to announce that Brandon Aaron has donated his jquery-mousewheel plugin to the jQuery Foundation. Brandon is a jQuery team alumnus and he leaves the plugin in great shape with very few open issues. It’s a very popular plugin, one that’s often used along with jQuery UI and other widgets.

Adopting the mousewheel plugin is part of the jQuery Foundation’s mission to make a web developer’s work easier. We want to ensure that web developers can use this plugin and be confident it will be supported into the future. We can’t do this alone, of course, and encourage the community to pitch in with pull requests and by providing support to the jQuery Foundation. You can find it at https://github.com/jquery/jquery-mousewheel/.

Abandoned or neglected open source projects can be a thorn in the side of web developers. When a developer’s personal project becomes wildly popular, it often exceeds that person’s ability to maintain and support it. More developers should take the step that Brandon did, seeking out someone who can take over the reins when they no longer have the time. As Eric Raymond says in The Cathedral and the Bazaar, “When you lose interest in a program, your last duty to it is to hand it off to a competent successor.”

Uncategorized

jQuery.com September 2014 Security Retrospective

Posted on by

During the last two weeks of September, we found our way into the headlines due to a series of attacks on our web servers. Today, we wanted to give everyone a brief update on the status of our websites and a recap of what happened over the last two weeks.

jQuery Under Siege

Early on the morning of September 18th we were hit with a DDoS and went offline. We were down for a couple of hours. The sites were brought back up later that day on September 18th and all seemed well.

Later, during the afternoon of September 18th, we were contacted by a security company named RiskIQ reporting that their crawler had reported malware being served by our content sites. There were never any reports that the jQuery libraries nor the CDN were ever compromised. Immediately upon receiving that report, we completely destroyed and reimaged all of those machines, revoked and reissued all associated SSL certificates, and confirmed that there was no suspicious content being served at that point. Since then, our own team and security folks from Mozilla and MaxCDN have worked to analyze logs and attempt to confirm the impact of this attack.

On September 23rd, RiskIQ went public with their report which picked up steam throughout the day on various media outlets and Twitter. The next morning, September 24th, as DDoS attacks on our properties continued to increase both in frequency and magnitude, CVE-2014-6271, otherwise known as the ShellShock vulnerability, was issued. As we continued to respond to the media discussion and communicate to the community what had happened on September 18th, we were victimized again in a series of much more public attacks involving the repeated defacing of jquery.com.

Investigations into our systems have yet to find the initial attack vector. However, we did take some steps to make ourselves more secure. For instance, some of our WordPress installs were out of date, all of our servers were vulnerable to the recent shell vulnerabilities, NGINX was slightly out of date as well as maybe a few other patches etc. that needed to be made. The infrastructure team dove in and began making those changes and started building new, fully patched and secured servers to host our sites. It appears these changes were effective as the defacing stopped and we have not seen any evidence of intrusion since.

Later on September 24th, a massive and unrelenting DDoS attack began. It seemed as though it would come in waves, but did not stop until late on September 28th. Most of the time on September 26th and 27th was spent trying to implement various products and solutions in order to keep the servers alive. We fought day and night to try to keep the sites up. We have to commend Corey Frang, Adam Ulvi, the rest of the infrastructure team, and others; they worked through the nights and in alternating shifts to try to keep us on the internet. Without their efforts, we would not have had the short amounts of uptime we did. One significantly important step that we took was to reach out to CloudFlare, who generously and rapidly gave us access to their Enterprise service which has helped tremendously in mitigating these attacks.

Moving Forward

jQuery and the jQuery Foundation are important to the web ecosystem, as is evident from the amount of press and the number of concerned individuals and organizations that have reached out to ask questions about this attack. The jQuery Foundation works on a daily basis to maintain and improve our projects and the infrastructure around those projects. The goal of this work is to continue to make web developers’ jobs easier and make sure they have a voice in the world of standards and browsers. However, these objectives take a large quantity of resources. Whether those resources are provided by access to expertise of a company’s employees or services, or through financial support, we would be unable to continue this important work without the support of the open source community and our supporting members.

We have been asked several times throughout this ordeal about why we didn’t have XYZ service in place or why we didn’t have our security team keeping a closer eye on these types of risks. The simple answer is that our budgets are tight and resources are limited. Our infrastructure team, and most of our teams for that matter, are made up of volunteers who give their time for free to make sure things keep running. The Heartbleed and ShellShock vulnerabilities are recent examples of how badly things can go when open source projects are taken for granted and just assumed to be OK. Eventually something is going to fall through the cracks and those cracks become larger and more frequent when people are doing what they can in their spare time.

So how can you help? As an individual, get involved in one of our projects. We can always use help writing code, designing, maintaining servers, working on events and the list goes on. Take a look at contribute.jquery.org or come say hi on IRC in one of our many channels listed on irc.jquery.org. As an organization, we would love to hear about any service you may be willing to donate, any developers or other skilled professionals that you could spare for a few hours a week or if you can help financially. Send us a message at membership@jquery.org and let us know how you can help.

We haven’t wanted to say too much about these attacks as they have been happening because we remain a juicy target in the eyes of hackers who are continuing to attempt to infiltrate our servers even as of this writing. In sharing all of this information with the community now, we’ve tried to balance the need to explain what’s been happening with the potential backlash that could happen as a result of coming out publicly and saying that we believe we have the situation under control.

That said, we do at this point believe that we have the situation under control. For this, a huge thanks is due to the entire jQuery infrastructure team, who rolled up their sleeves and worked tirelessly on these issues to get us back to a good place. We will continue to be vigilant in ensuring the reliability and safety of all of our resources for our community of users.

Uncategorized

Update on jQuery.com Compromises

Posted on by

Today at 11:15AM EDT, the jQuery Infrastructure team received widespread reports and confirmed a compromise of jquery.com. This attack was aimed at defacing our sites, and did not inject malware like the attack that was reported on September 18th by RiskIQ. We believe that these are separate incidents that may have used the same attack vector.

We took the site down as soon as we realized there was a compromise and cleaned the infected files. We are taking steps to re-secure our servers, upgrade dependencies, and address vulnerabilities.

At no point today have there been reports of malware being distributed from any of our sites, nor has the code of any jQuery libraries on our website or CDN been affected or modified today or during last week’s reported attack. Some of this confusion stems from last week’s attackers having set up a domain name intended to dupe users into thinking it was the official jQuery CDN. Please note that the official domain for jQuery files hosted from our official CDN is code.jquery.com.

There has also been concern that the user accounts of developers and administrators who use jquery.com and the rest of our WordPress sites have somehow been compromised by this attack. However, the only people who have a user account for the WordPress sites affected by these attacks are members of the jQuery team; we do not have any public user registration for any sort of account on any of the affected sites.

We are continuing to actively work on and monitor this situation and will update you as we learn more.

Updates

We have moved http://jquery.com to a new server only running code we trust and are continuing to monitor the situation closely. – September 24, 2014 at 5:07 PM EDT via Twitter

Uncategorized

Was jquery.com Compromised?

Posted on by

Lastest update on the compromise: Update on jQuery.com Compromises

Earlier today, RiskIQ published a blog post stating that the jQuery.com web servers were compromised and serving the RIG exploit kit for a short period of time on the afternoon of September 18th. Our internal investigation into our servers and logs have not yet found the RIG exploit kit or evidence that there was in fact a compromise.

RiskIQ was able to make contact with the jQuery Infrastructure team on September 18th, at which point with members of the RiskIQ team tried to find evidence of compromise. So far the investigation has been unable to reproduce or confirm that our servers were compromised. We have not been notified by any other security firm or users of jquery.com confirming a compromise. Normally, when we have issues with jQuery infrastructure, we hear reports within minutes on Twitter, via IRC, etc.

At no time have the hosted jQuery libraries been compromised.

Currently the only potential system compromised is the web software or server that runs jquery.com. We have asked RiskIQ to help us look through our server logs and systems to help identify when and how a compromise happened. Please check this blog post for updates on the situation.

Even though we don’t have immediate evidence of compromise, we have taken the proper precautions to ensure our servers are secure and clean. If you happened to visit any of the our sites on September 18th and are afraid of your system being compromised you can follow the advice RiskIQ recommends:

  • Immediately re-image system
  • Reset passwords for user accounts that have been used on the system
  • See if any suspicious activity has originated from the offending system
Uncategorized

jQuery Chicago Roundup!

Posted on by
jQuery Conference Chicago logo

With just over a month until we set forth for the Windy City for the first jQuery Conference in Chicago, the moment’s opportune to bring you up to speed on what we’ve got in store for you this September!

Whatchu Talkin’ Bout?

Our speakers and talks are the highlight of any jQuery conference; our lineup in Chicago is no exception. We aim to cover a broad selection of subjects from across the realm of web development, from our jQuery Foundation projects like jQuery, jQuery UI, and jQuery Mobile (so we’ll be having talks from project leads Dave Methvin, Scott González, and Alex Schmitz) to the new frontiers where JavaScript now treads (so we’ve got Lisa Deluca talking about using Arduino and Cordova together, and Micah Ransdell talking about Netflix’s adoption of Node.js). We know you want to know more about the future of the open web platform, and that’s why we’re happy to have folks like John K. Paul to go over coming changes to the language in ECMAScript 6, and TJ VanToll and Kevin Hakanson to discuss new browser APIs for form validation and cryptography.

A lot of you come to conferences to learn practical things you can take home with you, and that’s why we’re excited about sessions from (among others) Brian Arnold and Cory Gackenheimer on debugging techniques and Phil Dutson on the process of building a jQuery plugin.  We know, however, that there’s a lot more to releasing code than, well, writing code, and we’re happy to have Kassandra Perch, Alex Sexton, and Kelly Andrews joining us to talk about how to choose and use tools to ship and support the projects we work on. And we know some of you travel to conferences for the fun and games, and we’re thrilled to have Sara Gorecki and Bodil Stokke on hand to talk about building games with web technology.

This is just a handful of the speakers and subjects that’ll be on our Chicago stage(s), and we invite you to take a few minutes to check out our entire program to see what else is on the docket!

Can You Hack It At #jqcon?

Of course you can! In Chicago, however, we’re partnering with MaxCDN, DigitalOcean, and MediaTemple to officially encourage you to do so! We’ve got a wealth of data about how folks use the jQuery CDN at code.jquery.com, and it’s up to you to help us understand it. The hackathon starts the night before the conference on September 11th, and you’re free to use any medium you see fit to play with the data, whether it’s a web application or a robot. Our sponsors have stepped up to reward three participants with bountiful rewards, so we hope you join us to team up, explore, and build!

Coming Home to Roost

We’re partnering with Bocoup for the second time this year to extend our trip to Chicago with Roost, a two-day intensive class on building modern web applications taught by Ashley Williams, Ben Alman, Irene Ros, and Mike Pennisi. Roost is targeted at developers who already know JavaScript, jQuery, HTML, and CSS, and are looking to understand how to develop a better workflow for building, testing, and maintaining their applications and incorporate technologies like Backbone, RequireJS, Stylus, and more. You can check out the full training curriculum and schedule to find out exactly what’s planned.

Accommodations

Both jQuery Conference and Roost are taking place at the Sheraton Chicago in the heart of the city, so the hotel’s a convenient place to stay for the purposes of both your edification and your vacation. We’re only able to offer a discounted rate of $269 per night until August 15th, so make sure to make your reservation in our room block as soon as you can! Staying in our room block is a really helpful way you can help the jQuery Foundation fulfill some of the large financial commitment we’ve made by setting up shop in Chicago.

Brought To You By

Our sponsors and foundation members make a huge difference in our ability to host an awesome jQuery Conference for the community, and we’re happy to take a moment to thank them right here! So here’s a big THANKS to Diamond sponsors WordPress and IBM, Platinum sponsor MediaTemple, Gold sponsors MaxCDN, Bocoup, BrowserStack, Mandrill & DigitalOcean, and Silver sponsors Pebble & Accenture. (We’re still welcoming sponsors – if you’d like to have your company be a part of #jqcon, please reach out!)

Student Discount

We’re glad to be able to offer a discount to current students interested in attending jQuery Conference or Roost. Please get in touch with us for more information on how you can save $150 on tickets to one event, or $200 on a combination ticket. We know the discount is modest, but this is only the second time we’ve been able to offer a student discount of any kind, and we hope it helps. Please be advised that if you use this discount, you’ll need to show a valid student ID at registration.

Join Us

The summer’s been flying by and we can’t believe we’re only five weeks out, and we hope you’ll consider joining us on our trip (or that you’ve already booked your ticket!). Check out the conference site for more on our program and speakers, lodging, and to buy your tickets. If you have any questions, always feel free to get in touch with us on Twitter or via e-mail.

Foundation

The (Not Just) jQuery Foundation

Posted on by

The jQuery Foundation’s mission has always been about more than just our namesake projects of jQuery, jQuery UI, and jQuery Mobile. We already host several projects such as Sizzle, QUnit and Globalize that are not dependent on the jQuery library.

This wider web-oriented mission is evident in our jQuery Conferences, which span a wide range of developer concerns beyond jQuery, including Node, CSS, tooling, testing and much more. Over the years we’ve had talks on build tools, accessibility, security, performance, design patterns, and frameworks such as Ember and Angular. At our San Diego conference this past February, for example, Lenny Markus gave a great talk on PayPal’s continuing adoption of Node as they move away from Java and proprietary solutions, Catherine Farman talked about real world responsive design, and John Dimm gave a talk on the HTML5 speech APIs.

The jQuery Foundation is participating in the continuing evolution of the web platform via our memberships in both the W3C and ECMA TC39 (The group standardizing what we know as JavaScript). We feel that it’s essential to have strong representation in those standards groups to ensure they meet the needs of developers. The Foundation provides a platform for developers to have a voice in these standards bodies.

Beyond the technical compatibility between our projects, we also share the open source model and all the benefits it provides. The Foundation adds the benefit of a top-level structure designed to serve the projects, providing the resources they need but letting the contributors decide the best direction for the project based on community input. Any project that joins the Foundation is given the ability to serve their community’s needs rather than be constrained by the goals of a for-profit company.

Though this has been our mission for a long time, we felt we needed to make this clearer. We are excited to start bringing this part of our mission into the light and start actively working toward a more open web accessible to everyone. If you are excited as well, please help us. Contribute your time to Foundation projects. Offer your company’s services. If you or your company have an established open source project that you believe could benefit everyone and flourish by becoming part of the jQuery Foundation, check out our philosophy around projects joining the Foundation and let us know you’re interested. If you would rather just support the existing and future projects of the Foundation through financial support, become a member of the Foundation. Open source projects will only thrive if everyone who benefits from them contributes back in whatever way they can.

jQuery | jQuery UI

Volunteers Wanted: Trac Enhancements

Posted on by

The jQuery and jQuery UI teams use Trac to do their bug reporting and tracking. The jQuery Core bug tracker could really use a Trac expert to migrate us to Trac 1.0 and fix a few nagging issues we’ve been having. If you’re an expert Trac-meister, or just someone with good Trac setup/configuration experience who’s up to the challenge, we’d love to talk with you! Send a message to dave(at)jquery.com and we’ll be in touch.

Since some of you will inevitably ask: GitHub’s integration between issues and commits is wonderful, but it’s not anywhere near as powerful as Trac when it comes to searching and reporting. In addition, our projects have more than seven years of history comprising thousands of bug reports with important data in them. That’s a non-trivial amount of data to import into GitHub issues and groom to be useful once it’s imported. We feel that staying with Trac is the lowest-effort way for us to give us the bug tracking abilities we need.

jQuery

Don’t Use jquery-latest.js

Posted on by

Earlier this week the jQuery CDN had an issue that made the jquery-latest.js and jquery-latest.min.js files unavailable for a few hours in some geographical areas. (This wasn’t a problem with the CDN itself, but with the repository that provides files for the CDN.) While we always hope to have 100% uptime, this particular outage emphasized the number of production sites following the antipattern of using this file. So let’s be clear: Don’t use jquery-latest.js on a production site.

We know that jquery-latest.js is abused because of the CDN statistics showing it’s the most popular file. That wouldn’t be the case if it was only being used by developers to make a local copy. The jquery-latest.js and jquery-latest.min.js files were meant to provide a simple way to download the latest released version of jQuery core. Instead, some developers include this version directly in their production sites, exposing users to the risk of a broken site each time a new version of jQuery is released. The team tries to minimize those risks, of course, but the jQuery ecosystem is so large that we can’t possibly check it all before making a new release.

To mitigate the risk of “breaking the web”, the jQuery team decided back in 2013 that jquery-latest.js could not be upgraded to the 2.0 branch even though that is technically the latest version. There would just be too many sites that would mysteriously stop working with older versions of Internet Explorer, and many of those sites may not be maintained today.

As jQuery adoption has continued to grow, even that safeguard seems insufficient to protect against careless use of http://code.jquery.com/jquery-latest.js. So we have decided to stop updating this file, as well as the minified copy, keeping both files at version 1.11.1 forever. The latest released version is always available through either the jQuery core download page or the CDN home page. Developers can download the latest version from one of those pages or reference it in a script tag directly from the jQuery CDN by version number.

The Google CDN team has joined us in this effort to prevent inadvertent web breakage and no longer updates the file at http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.js. That file will stay locked at version 1.11.1 as well. However, note that this file currently has a very short cache time, which means you’re losing the performance benefit of of a long cache time that the CDN provides when you request a full version like 1.11.1 instead.

So please spread the word! If you see a site directly using the jQuery CDN’s jquery-latest.js or the Google CDN equivalent in their script tags, let them know they should change to a specific version. If you need the latest version, get it from the download page or our CDN page. For both the jQuery and Google CDNs, always provide a full version number when referencing files in a <script> tag. Thanks!