ESLint Joins the jQuery Foundation

Posted on by

After last week’s announcement that JSCS is merging with ESLint, this week the ESLint team is announcing that they are bringing their project to the jQuery Foundation. We are very excited to be the providers of a long-term, openly governed home for ESLint. We are also looking forward to seeing the outcomes of this new partnership with JSCS.

At the Foundation, we are constantly striving to find ways to make the development experience better for JavaScript developers. We believe both ESLint and JSCS have been leaders on this front. With these two incredibly bright teams coming together at the jQuery Foundation, we expect to see and support accelerated development of ESLint and an easier discovery and decision process for developers looking to bring JavaScript analysis, linting and code style checking to their projects.

Going forward, we hope to continue supporting innovation in the JavaScript space while at the same time, providing a suitable environment for collaboration in all aspects of the JavaScript development world. For more information about why ESLint chose the jQuery Foundation and how this impacts the teams and users involved, check out their announcement on the ESLint blog.

Community Notice on npm dependencies in your projects

Posted on by

As most of you are likely aware by now, a potentially dangerous security vulnerability was highlighted recently in the use of npm modules in your projects. In general, the jQuery Foundation still believes this is a safe and very powerful practice and in no way are we saying you should no longer use npm for package management in your JavaScript projects. What we would like to advocate is caution for our community of jQuery plugin developers and users of the many projects in the foundation who distribute packages on npm when installing a package and its dependencies.

A Quick Recap

Rather than rewrite the story, go ahead and check out the full recap and summary from npm on their blog.

The Concern

What happened next is the reason we are writing this post. Azer Koçulu published a number of packages on npm, one of which was the left-pad package which is a simple bit of code that is depended upon by many other packages. After the package was unpublished, many popular projects began having build failures due to the missing package. This is concerning in itself that anyone could unpublish a dependency you have, or a dependency of a dependency of a dependency and cause you or your team real headaches. Shortly after left-pad was unpublished, the npm team decided to un-unpublish it with a new owner to fix the many breaking builds around the internet. What is more concerning though, is the fact that once a package is unpublished, anyone can grab those package names you depend on somewhere in your dependency tree and push new, potentially malicious code into your project. In general, this wouldn’t be too bad because your package likely relies on a version that was unpublished and the new published version would not be pulled in. However, many people when installing dependencies use the commands npm i --save <package-name> or npm i --save-dev <package-name> which by default installs the latest version published at the time preceded by a ^ like ^1.0.0 which tells npm to install any updated version through minor releases the next time dependencies are updated. This means that if you reinstall or update your project and someone has pushed malicious code into a patch (1.0.1) or minor (1.1.0) release from our example, it will automatically be installed in your project.

Recommendations

Our primary recommendation is to be careful. Know what you are installing and know what your dependencies and their dependencies down the tree are installing. You should definitely go through your projects now and see if any of the modules you depend on have been unpublished as well as if any of them are on this list and have recently published new versions that you may want to avoid until you verify it is safe. Though we haven’t spoken with them directly, we are sure the folks at npm, inc. are working hard on a way to address these concerns but until then, be vigilant and keep your projects and plugins safe. We have believed for a while and continue to believe that JavaScript has been and will continue to be one of the strongest options for developing everything from your personal blog to enterprise class applications. With any technology, we will have hiccups along the way but as long as we learn from them and retain that knowledge as we continue on, JavaScript will prevail.

jQuery Foundation and Dojo Foundation to Merge

Posted on by

United Foundation to Advance the Open Web by Serving Developers

The jQuery Foundation and Dojo Foundation today announce plans to combine forces to form the largest, most diverse and most comprehensive Foundation committed to building the Open Web by serving developers, their projects and their communities.

“This merger elevates Web accessibility, openness and developer education, and will advance the Open Web and improve the developer experience significantly,” said Kris Borchers, jQuery Foundation Executive Director. “Every Open Source project needs community, governance and technical resources to succeed. By joining forces, we make growing community easier, we streamline and simplify processes and we offer unrivaled resources to projects and developers alike.”

“The Dojo Foundation project leads and I are all very excited to be joining up with the jQuery Foundation,” said the Dojo Foundation President Dylan Schiemann, who will join the jQuery Foundation board with the merger. “We share a common mission, purpose and approach, and our combined ability to serve the needs of the JavaScript development community is going to take the Open Web to new heights.”

Timmy Willison, jQuery Core Project Lead, agreed, adding, “I’m a big fan of Dojo projects and the Dojo Foundation. I am excited and honored to work alongside such capable, talented developers and I look forward to discovering what we can achieve together.”

“Some of the most innovative developer ideas are coming out of the JavaScript community and our clients see a great deal of value from it,” said Todd Moore, Vice President IBM Open Technology. “We are excited to see the jQuery Foundation and the Dojo Foundation joining forces in an open collaborative developer oriented environment.”?

Said James Burke, Project Lead for RequireJS, “I have contributed to projects that have been under both Foundations, and I appreciate how both make it easy for people to start contributing in a welcoming environment by keeping the legal and mechanical processes as low-friction as possible. Both Foundations are also committed to creating maximally-useful code through very permissive Open Source means. By combining their efforts, I believe it will be easier for new projects to choose this successful approach.”

John-David Dalton, Lo-Dash project lead, added, “Combining the resources of the Dojo and jQuery Foundations is a win for developers. Among the many advantages this merger will bring, consolidating CLAs and streamlining processes will make it much easier for projects to grow and better serve the application developer community.”

With this merger, the jQuery Foundation continues to move toward its mission to make the web accessible to everyone. By adding the projects of the Dojo Foundation to the family of projects it supports, the Foundation is able to reach a larger community of developers in its efforts to increase diversity and accessibility in its projects and the open web as a whole. This is just the first major step in the jQuery Foundation’s plans to further serve developers.

Esprima 2.1 Released

Posted on by

We’ve just released Esprima 2.1.0! This release introduces support for several new pieces of ES6 syntax: Classes, Rest Parameters, Computed Property Names, let and const. See the release notes below for full details. We’ve also made various improvements to our testing infrastructure to make the codebase more contributor friendly. A big thank you to all those who contributed patches to this release: Ariya Hidayat, Bei Zhang, Brandon Mills, Mike Rennie, Mike Sherov.

While working on bringing more ES6 features to Esprima, we began collaborating with other JavaScript parsers and parser consumers to help define a community standard for JS AST generation. The result of that effort is the ESTree spec, located here: https://github.com/estree/estree. We wanted to say thank you to all who are contributing, which includes members from Esprima, the Mozilla SpiderMonkey parser, the Acorn parser, and Babel, to name a few. A full list of contributors is located here: https://github.com/estree/estree/blob/master/README.md

Expect a 2.2 release to follow in a few weeks bringing even more ES6 support. If you’d like to help contribute, we hang out in the #esprima room on Freenode IRC, and have a weekly meeting at 2PM ET on Wednesdays in #esprima-meeting on Freenode IRC as well. We look forward to seeing you there!

Release Notes

  • Support ES6 class #1001
  • Support ES6 rest parameter #1011
  • Support ES6 computed property name #1037
  • Support ES6 lexical declaration #1065
  • Expand the location of property getter, setter, and methods #1029
  • Enable TryStatement transition to a single handler #1031
  • Tolerate unclosed block comment #1041

Famo.us Joins the jQuery Foundation

Posted on by

In case you haven’t heard, Famous Industries (Famo.us) announced today that they are joining the jQuery Foundation as a Founding-level member.  Famo.us joins our other Founding-level members, WordPress and IBM, and our growing list of member companies, who recognize the power and importance of the jQuery Foundation’s open governance for JavaScript technologies.

For those who are not familiar with Famo.us, they offer a free, open source JavaScript platform that enables engineers to build beautiful, cross-platform web apps. It is the only framework that provides an open source 3D layout engine fully integrated with a 3D physics-based animation engine that can render to DOM, Canvas, or WebGL.

Famo.us also provides extensive free training, examples, and tutorials through Famo.us University. Their live coding environment allows students to see their code rendered in real time and work through topics at their own pace. We plan on taking advantage of their passion for education by partnering with Famo.us to deliver a top notch developer event in San Francisco in mid 2015 (stay tuned!).

Today, jQuery continues to be one of the most preferred JavaScript libraries available with 8 out of 10 of the top JavaScript enabled websites and over 60% of the top one million websites* choosing jQuery-enabled libraries. As our community grows and continues to innovate, so do we. This makes the support of our members more critical than ever.

We are working on a number of new initiatives: Making improvements to how our innovative technical community collaborates. Famo.us has a number of widgets they intend to make available as jQuery plugins and we look forward to taking advantage of their support and expertise as we work to improve the extended community guidance around jQuery plugins.

Famo.us developers will be joining our technical efforts so please say ‘hello’ and make them feel welcome. Co-founder and CEO Steve Newcomb has been elected to the jQuery Foundation board of directors. We look forward to benefiting from the unique perspectives, business acumen and life experiences Steve will bring to our board in helping us move forward toward accomplishing our mission.

It’s going to be a great partnership and a busy New Year. With that, please join us and give Famo.us a shout out and welcome them to the jQuery Foundation!

*stats from BuiltWith.com

Improving the Pointer Events Polyfill

Posted on by

Today, we’re excited to announce that Google has transferred its Pointer Events polyfill to the jQuery Foundation. This polyfill was originally written by Google’s Polymer team but since Google has chosen to put their Pointer Event implementation on hold, we engaged to ensure that the polyfill is maintained and continues to be a tool developers can use as a path to the eventual native implementation in all browsers. Many thanks to Google and the Polymer Team for allowing us to build off their work and continue development.

The jQuery Foundation has been, and continues to be a strong proponent of standards and we are specifically strong proponents of the Pointer Events standard because it will simplify the way web developers handle user interactions. Today developers are saddled with two very different event models for mouse and touch, even though they share many similarities. The result is often code that has a myriad of special cases, particularly when the device itself generates “fake” mouse events from touches. The jQuery Foundation hopes to drive developer adoption of this unified event system. Our goal is to have all browsers implement this standard natively.

Just yesterday, the W3C took the Pointer Events specification to the Proposed Recommendation stage. This makes Pointer Events one step closer to a finished standard and gives browsers a solid base on which to implement these APIs. Some browsers have even begun their implementation. Unsurprisingly Internet Explorer, where the first implementation of Pointer Events began before being submitted to the W3C for standardization, has implemented Pointer Events and Firefox has a branch of their code base implementing Pointer Events which they intend to port to all version of Firefox. Both of these implementations recently passed 100% of the Pointer Events test suite so implementation is progressing nicely.

We want to thank Microsoft Open Technologies for their hard work on Pointer Events and their continued support. We also want to thank IBM, Mozilla, Google, Dojo and the many other organizations and individuals that have helped and continue to help make developers lives easier through the creation, fostering and promotion of new standards like Pointer Events. If you want to get involved or just want to start using Pointer Events in your projects, head over to the new Pointer Events repo and check it out.

jQuery.com September 2014 Security Retrospective

Posted on by

During the last two weeks of September, we found our way into the headlines due to a series of attacks on our web servers. Today, we wanted to give everyone a brief update on the status of our websites and a recap of what happened over the last two weeks.

jQuery Under Siege

Early on the morning of September 18th we were hit with a DDoS and went offline. We were down for a couple of hours. The sites were brought back up later that day on September 18th and all seemed well.

Later, during the afternoon of September 18th, we were contacted by a security company named RiskIQ reporting that their crawler had reported malware being served by our content sites. There were never any reports that the jQuery libraries nor the CDN were ever compromised. Immediately upon receiving that report, we completely destroyed and reimaged all of those machines, revoked and reissued all associated SSL certificates, and confirmed that there was no suspicious content being served at that point. Since then, our own team and security folks from Mozilla and MaxCDN have worked to analyze logs and attempt to confirm the impact of this attack.

On September 23rd, RiskIQ went public with their report which picked up steam throughout the day on various media outlets and Twitter. The next morning, September 24th, as DDoS attacks on our properties continued to increase both in frequency and magnitude, CVE-2014-6271, otherwise known as the ShellShock vulnerability, was issued. As we continued to respond to the media discussion and communicate to the community what had happened on September 18th, we were victimized again in a series of much more public attacks involving the repeated defacing of jquery.com.

Investigations into our systems have yet to find the initial attack vector. However, we did take some steps to make ourselves more secure. For instance, some of our WordPress installs were out of date, all of our servers were vulnerable to the recent shell vulnerabilities, NGINX was slightly out of date as well as maybe a few other patches etc. that needed to be made. The infrastructure team dove in and began making those changes and started building new, fully patched and secured servers to host our sites. It appears these changes were effective as the defacing stopped and we have not seen any evidence of intrusion since.

Later on September 24th, a massive and unrelenting DDoS attack began. It seemed as though it would come in waves, but did not stop until late on September 28th. Most of the time on September 26th and 27th was spent trying to implement various products and solutions in order to keep the servers alive. We fought day and night to try to keep the sites up. We have to commend Corey Frang, Adam Ulvi, the rest of the infrastructure team, and others; they worked through the nights and in alternating shifts to try to keep us on the internet. Without their efforts, we would not have had the short amounts of uptime we did. One significantly important step that we took was to reach out to CloudFlare, who generously and rapidly gave us access to their Enterprise service which has helped tremendously in mitigating these attacks.

Moving Forward

jQuery and the jQuery Foundation are important to the web ecosystem, as is evident from the amount of press and the number of concerned individuals and organizations that have reached out to ask questions about this attack. The jQuery Foundation works on a daily basis to maintain and improve our projects and the infrastructure around those projects. The goal of this work is to continue to make web developers’ jobs easier and make sure they have a voice in the world of standards and browsers. However, these objectives take a large quantity of resources. Whether those resources are provided by access to expertise of a company’s employees or services, or through financial support, we would be unable to continue this important work without the support of the open source community and our supporting members.

We have been asked several times throughout this ordeal about why we didn’t have XYZ service in place or why we didn’t have our security team keeping a closer eye on these types of risks. The simple answer is that our budgets are tight and resources are limited. Our infrastructure team, and most of our teams for that matter, are made up of volunteers who give their time for free to make sure things keep running. The Heartbleed and ShellShock vulnerabilities are recent examples of how badly things can go when open source projects are taken for granted and just assumed to be OK. Eventually something is going to fall through the cracks and those cracks become larger and more frequent when people are doing what they can in their spare time.

So how can you help? As an individual, get involved in one of our projects. We can always use help writing code, designing, maintaining servers, working on events and the list goes on. Take a look at contribute.jquery.org or come say hi on IRC in one of our many channels listed on irc.jquery.org. As an organization, we would love to hear about any service you may be willing to donate, any developers or other skilled professionals that you could spare for a few hours a week or if you can help financially. Send us a message at membership@jquery.org and let us know how you can help.

We haven’t wanted to say too much about these attacks as they have been happening because we remain a juicy target in the eyes of hackers who are continuing to attempt to infiltrate our servers even as of this writing. In sharing all of this information with the community now, we’ve tried to balance the need to explain what’s been happening with the potential backlash that could happen as a result of coming out publicly and saying that we believe we have the situation under control.

That said, we do at this point believe that we have the situation under control. For this, a huge thanks is due to the entire jQuery infrastructure team, who rolled up their sleeves and worked tirelessly on these issues to get us back to a good place. We will continue to be vigilant in ensuring the reliability and safety of all of our resources for our community of users.

The (Not Just) jQuery Foundation

Posted on by

The jQuery Foundation’s mission has always been about more than just our namesake projects of jQuery, jQuery UI, and jQuery Mobile. We already host several projects such as Sizzle, QUnit and Globalize that are not dependent on the jQuery library.

This wider web-oriented mission is evident in our jQuery Conferences, which span a wide range of developer concerns beyond jQuery, including Node, CSS, tooling, testing and much more. Over the years we’ve had talks on build tools, accessibility, security, performance, design patterns, and frameworks such as Ember and Angular. At our San Diego conference this past February, for example, Lenny Markus gave a great talk on PayPal’s continuing adoption of Node as they move away from Java and proprietary solutions, Catherine Farman talked about real world responsive design, and John Dimm gave a talk on the HTML5 speech APIs.

The jQuery Foundation is participating in the continuing evolution of the web platform via our memberships in both the W3C and ECMA TC39 (The group standardizing what we know as JavaScript). We feel that it’s essential to have strong representation in those standards groups to ensure they meet the needs of developers. The Foundation provides a platform for developers to have a voice in these standards bodies.

Beyond the technical compatibility between our projects, we also share the open source model and all the benefits it provides. The Foundation adds the benefit of a top-level structure designed to serve the projects, providing the resources they need but letting the contributors decide the best direction for the project based on community input. Any project that joins the Foundation is given the ability to serve their community’s needs rather than be constrained by the goals of a for-profit company.

Though this has been our mission for a long time, we felt we needed to make this clearer. We are excited to start bringing this part of our mission into the light and start actively working toward a more open web accessible to everyone. If you are excited as well, please help us. Contribute your time to Foundation projects. Offer your company’s services. If you or your company have an established open source project that you believe could benefit everyone and flourish by becoming part of the jQuery Foundation, check out our philosophy around projects joining the Foundation and let us know you’re interested. If you would rather just support the existing and future projects of the Foundation through financial support, become a member of the Foundation. Open source projects will only thrive if everyone who benefits from them contributes back in whatever way they can.

Supporting the Cause, Improving the Web

Posted on by

To help the jQuery Foundation accomplish its mission to improve the open web and make it accessible to everyone, we established a membership program where organizations and individuals could join the foundation to help us support our goals. In return, members are recognized both on our websites and at conferences. Since that time, a number of companies, large and small, as well as individuals, have stepped up to support the foundation and continued success of the jQuery projects. A full listing of our members is available on the member page on jquery.org.

Corporate Memberships

Corporate memberships are available in several levels based on support, ranging from Bronze to Platinum. Beyond those levels is our top level membership called our Founding members. Currently, WordPress is our single Founding member at this time and they are a huge part of the jQuery Foundation mission and we would like to say a special thank you to them. We would not be here if it wasn’t for the support of WordPress and our many corporate members at every level.

So what does a member get in return for their support of the Foundation? Depending on the level of support, there are a number of ways we recognize and thank our members. Every member is recognized on the member page. As you progress up through the different levels of membership, more benefits such as conference recognition, free and reduced price conference sponsorship packages, invitations to team meetings to discuss the development and direction of the jQuery projects, and even the ability to host jQuery licensed events of your own. For more information about the corporate membership program, e-mail us at membership@jquery.org.

I’m not a Corporation, how can I help?

We’re glad you asked. The jQuery Foundation also has an individual membership program where people can donate smaller amounts to help support the Foundation and in return, we send out some cool jQuery branded gear. When the program started, we offered three levels of membership for individuals. That just got too complicated for both the members joining as well as the folks managing the payment and gift fulfillment. There is now only one level of individual membership at the $400 per year level. If you think about it, that’s really only a little more than $1/day to help keep the jQuery Foundation running. You can see all of our individual members listed on the member page. As new members are added, they will be listed as Heroes until the transition from a 3-tier to 1-tier program is complete and everyone has merged into a single list of Individual Members. If all of this has got you itching to become part of the next wave of individual members, head on over to https://jquery.org/join/ and join our ranks.

Membership may not be an option for everyone, but there are still ways you can support the Foundation’s work. The first way is through donations. The jQuery Foundation accepts donations, both large and small, through PayPal. If that’s an option that interests you, check out our donate page. Another way to help the foundation is by grabbing yourself a nice shirt or some stickers over at DevSwag. We have partnered with DevSwag, as many other open source projects have, to license the sale of official jQuery branded clothing and other items and a portion of the proceeds from those items are donated to the jQuery Foundation.

No matter if you’re a company or an individual, we hope you’ll take the time to consider supporting the jQuery Foundation to keep us working toward making the web accessible to everyone.

One Last Thing …

We thought we would let you know one more time about the upcoming jQuery Conference in San Diego. The conference is February 12-13 and is preceded by Bocoup’s 2 day training conference Roost on February 10-11. Don’t forget to take $50 off your ticket to one or both of these events using discount code jqblog50 at checkout!