OpenSSF Project Alpha-Omega Invests in the OpenJS Foundation and jQuery to Help Secure the Consumer Web

By: Robin Ginn, Executive Director, OpenJS Foundation and Brian Behlendorf, General Manager, OpenSSF

Today, we’re excited to share that the Open Source Security Foundation (OpenSSF) Project Alpha-Omega is committing $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code.

This is the second funded project coming from the OpenSSF to the OpenJS Foundation, the neutral home for JavaScript and the web. Earlier this year OpenSSF selected Node.js as its initial project, committing $300,000 to focus on improving supply chain security. 

OpenJS, working with the jQuery maintainers and industry experts, will undertake three core initiatives under this grant: an ecosystem risk audit, an expansion of its infrastructure modernization project, and a web modernization campaign.

“There’s a lot of work to be done to help secure the consumer web,” said Michael Scovetta, Alpha-Omega co-lead and Principal Security PM Manager at Microsoft. “We believe partnering with the vendor-neutral OpenJS Foundation is a great way to communicate out broadly to developers and to work with technology partners to reduce potential security incidents for jQuery. This is a wide ranging effort that is by no means simple.” 

jQuery Core is still actively maintained, and the maintainers have taken steps to consolidate and modernize its infrastructure with support from the OpenJS Foundation including migrating and improving its CDN. jQuery is still used by 77% of the world’s top 10 million websites, but one-third of those sites are still using 15-year-old legacy jQuery 1.x when they should be using a much more current version.

As part of its modernization initiative, OpenJS Foundation has also helped jQuery with two projects under the jQuery umbrella through a careful transition: jQuery UI and jQuery Mobile. However, there is much work to be done to fully understand and mitigate potential risks.  

“The use of ubiquitous technologies like jQuery is invisible to most, however potential problems could affect millions of websites. And, there’s no one-size-fits-all solution. This is exactly the type of project that the OpenSSF is looking to support, and we are excited to be working on our second project with the OpenJS Foundation, helping to advance open source security for all,” said Michael Winser, Alpha-Omega co-lead and Group Product Manager for Software Supply Chain Security and CI/CD at Google. “We are pleased to be committing to this project with the OpenJS Foundation and jQuery.”

The OpenJS Foundation  and OpenSSF are looking forward to working closely together to help developers around the globe improve their open source security readiness!