jQuery Security Progress Report –  Infrastructure Updates & End-user Risk Audit

The OpenJS Foundation is working to reduce potential security risks for jQuery, with support from the OpenSSF’s Project Alpha-Omega. 

OpenSSF has committed $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code. 

The goal is to update the infrastructure, identify potential security risks and pain points for end-users, as well as to understand the triggers and factors that influence the adoption of new software versions.

Progress to date – Infrastructure & Security updates on jQuery ecosystem

OpenJS Foundation has made significant progress modernizing the infrastructure for jQuery by providing direct support to the long-term maintainers of the project. First steps have included working through a backlog of improvements. Work completed as of late January 2023 include:

Puppet infrastructure

jQuery uses Puppet to automate server provisioning. All new servers provisioned as a part of this initiative are developed in public at github.com/jquery/infrastructure-puppet and managed by a new Puppet server running on the latest stable version of Debian. Previously, the project’s server provisioning was kept private due to secret tokens being mixed in with infrastructure code. The new setup limits the private repository to storing infrastructure secrets.

Security improvements

The project’s server fleet was last refreshed in 2016, managed by Puppet 3 released that same year. Some older servers still ran Debian 7, released in 2013. The new servers all run with Debian 11 (“Bullseye”) as the Linux distribution of choice, managed via Puppet 7.

Server provisions were rewritten from scratch with the latest best practices and a few or no dependencies to minimize exposure.  The base setup for all servers also adds tighter firewalls, limits package installations to officially supported Debian channels, improves access control and enables automatic security updates going forward.

jQuery CDN

The backend for the jQuery CDN at code.jquery.com was split off to its own servers, separate from other jQuery sites, instead of being co-located on servers that also host releases.jquery.com website. This is to reduce the available attack surface on the CDN service given its wide reach. The new servers are running the latest version of Debian and the provisioning was fully automated using Puppet.

Grunt website

New servers for gruntjs.com and stage.gruntjs.com are now online and fully provisioned with the latest version of Debian. Access logs are no longer kept on-server, traffic between CDN and origin server is now always encrypted, Linux was upgraded from Debian 7 (end-of-life as of 2018) to Debian 11, Node.js was upgraded from v10 to v12 (now using Debian-provided packages with automatic security updates). The CDN configuration has been improved to utilize TLS 1.3 where available, for improved security and performance.

Contentorigin migration

The Contentorigin service hosts legacy static assets, including videos and the jQuery Podcast. The Contentorigin service received similar updates and improvements as the jQuery CDN and gruntjs.com.

CLA infrastructure

Old servers hosting previous, now-unused versions of the Contributor License Agreement (CLA) workflow were taken offline.

Working with International Data Corporation (IDC)

Along with updating key parts of the jQuery infrastructure, and as part of the process of better understanding the security risks for jQuery, the OpenJS Foundation has engaged International Data Corporation (IDC) to conduct a global survey in support of an end-user risk audit of jQuery.

jQuery is used by 77% of the 10 million most popular websites, according to W3Techs. jQuery is still popular and widely used, but there are security issues that need to be more fully understood. 

IDC is a well-known analyst firm, a global provider of market intelligence, advisory services, and events for IT, telecommunications, and consumer technology markets. The IDC research team for this project consists of experts in the open source software (OSS) ecosystem, DevSecOps, and software development, and include respected analysts Al Gillen Group Vice President, Software Development and Open Source, Jim Mercer Research Vice President, DevOps & DevSecOps and Katie Norton Senior Research Analyst, DevOps & DevSecOps. 

The global survey will gather valuable insights into the end-user experience for security and software adoption. The research is being conducted across the US, Canada, United Kingdom, Germany, and France; with translations in German and French.

What’s Next

The team will continue to make updates to the infrastructure, and we’ll be posting about the progress on our OpenJS blog in the coming months.

Get Involved with Project Alpha-Omega!

You can get involved by engaging with us in various ways:

• Slack: We watch the #alpha_omega Slack channel.
• Mailing List: Join the alpha-omega-announcements mailing list to be notified of upcoming developments.
• Contact Us: Let us know you’d like to get involved.