The OpenJS Foundation is working to reduce potential security risks for jQuery, with support from the OpenSSF’s Project Alpha-Omega.
jQuery Security Progress Report – Infrastructure Updates & End-user Risk Audit
The OpenJS Foundation is working to reduce potential security risks for jQuery, with support from the OpenSSF’s Project Alpha-Omega.
OpenSSF has committed $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code.
The goal is to update the infrastructure, identify potential security risks and pain points for end-users, as well as to understand the triggers and factors that influence the adoption of new software versions.
OpenJS Foundation has made significant progress modernizing the infrastructure for jQuery by providing direct support to the long-term maintainers of the project. First steps have included working through a backlog of improvements. Work completed as of late January 2023 include:
jQuery uses Puppet to automate server provisioning. All new servers provisioned as a part of this initiative are developed in public at github.com/jquery/infrastructure-puppet and managed by a new Puppet server running on the latest stable version of Debian. Previously, the project’s server provisioning was kept private due to secret tokens being mixed in with infrastructure code. The new setup limits the private repository to storing infrastructure secrets.
The project’s server fleet was last refreshed in 2016, managed by Puppet 3 released that same year. Some older servers still ran Debian 7, released in 2013. The new servers all run with Debian 11 (“Bullseye”) as the Linux distribution of choice, managed via Puppet 7.
Server provisions were rewritten from scratch with the latest best practices and a few or no dependencies to minimize exposure. The base setup for all servers also adds tighter firewalls, limits package installations to officially supported Debian channels, improves access control and enables automatic security updates going forward.
The backend for the jQuery CDN at code.jquery.com was split off to its own servers, separate from other jQuery sites, instead of being co-located on servers that also host releases.jquery.com website. This is to reduce the available attack surface on the CDN service given its wide reach. The new servers are running the latest version of Debian and the provisioning was fully automated using Puppet.
New servers for gruntjs.com and stage.gruntjs.com are now online and fully provisioned with the latest version of Debian. Access logs are no longer kept on-server, traffic between CDN and origin server is now always encrypted, Linux was upgraded from Debian 7 (end-of-life as of 2018) to Debian 11, Node.js was upgraded from v10 to v12 (now using Debian-provided packages with automatic security updates). The CDN configuration has been improved to utilize TLS 1.3 where available, for improved security and performance.
The Contentorigin service hosts legacy static assets, including videos and the jQuery Podcast. The Contentorigin service received similar updates and improvements as the jQuery CDN and gruntjs.com.
Old servers hosting previous, now-unused versions of the Contributor License Agreement (CLA) workflow were taken offline.
Along with updating key parts of the jQuery infrastructure, and as part of the process of better understanding the security risks for jQuery, the OpenJS Foundation has engaged International Data Corporation (IDC) to conduct a global survey in support of an end-user risk audit of jQuery.
jQuery is used by 77% of the 10 million most popular websites, according to W3Techs. jQuery is still popular and widely used, but there are security issues that need to be more fully understood.
IDC is a well-known analyst firm, a global provider of market intelligence, advisory services, and events for IT, telecommunications, and consumer technology markets. The IDC research team for this project consists of experts in the open source software (OSS) ecosystem, DevSecOps, and software development, and include respected analysts Al Gillen Group Vice President, Software Development and Open Source, Jim Mercer Research Vice President, DevOps & DevSecOps and Katie Norton Senior Research Analyst, DevOps & DevSecOps.
The global survey will gather valuable insights into the end-user experience for security and software adoption. The research is being conducted across the US, Canada, United Kingdom, Germany, and France; with translations in German and French.
The team will continue to make updates to the infrastructure, and we’ll be posting about the progress on our OpenJS blog in the coming months.
You can get involved by engaging with us in various ways: