Skip to content

refactor: drop legacy rs/jquery + drop resource-server-content overlay#113

Open
bjagg wants to merge 2 commits into
uPortal-Project:masterfrom
bjagg:chore/resource-server-consolidation
Open

refactor: drop legacy rs/jquery + drop resource-server-content overlay#113
bjagg wants to merge 2 commits into
uPortal-Project:masterfrom
bjagg:chore/resource-server-consolidation

Conversation

@bjagg
Copy link
Copy Markdown
Member

@bjagg bjagg commented May 7, 2026
edited
Loading

Summary

Three commits — release-plugin commits from a prior 2.1.1 release cycle that didn't get pushed, plus the actual work:

  1. da39d63 — release plugin prep for 2.1.1 (already-released)
  2. 0453e6f — release plugin post-2.1.1 SNAPSHOT bump
  3. 677110b (prior) — drop legacy rs/jquery loads + retire <rs:compressJs> taglib wrappers; the source-side consolidation.
  4. 9df8b28 (new) — drop the resource-server-content WAR overlay (dep + maven-war-plugin extract). The overlay was unpacking lodash 4.17.4 (4 CVEs), underscore, backbone, modernizr, normalize, and jquery-plugins into the WAR for nothing, plus an explicit extract of rs/jquery/1.6.1/ and rs/jqueryui/1.8.13/ — none referenced after 677110b.

Why this is safe

  • grep -rEn '/CoursesPortlet/rs/' courses-portlet-webapp/src/ returns no matches after 677110b.
  • jQuery is loaded by uPortal core's chrome via /resource-server/webjars/jquery/....

Test plan

  • mvn clean install -DskipTests builds (verified locally on Java 11)
  • WAR has no rs/ directory (verified)
  • Smoke: /p/courses/?pCm=view and admin views render without missing-resource errors

@bjagg
refactor(courses-portlet): drop legacy rs/jquery + retire <rs:compres…
677110b 
…sJs>

Problem: CoursesPortlet stacked three jQuery loads — the bedrock 4.0
from the parent skin, jQuery 1.9.1 + jQuery UI 1.8.13 in resources.xml,
and an additional jQuery 1.4.2 in whatIf.jsp. The 1.x line carries
known XSS CVEs (CVE-2011-4969, CVE-2012-6708, CVE-2015-9251 for jQuery;
CVE-2010-5312, CVE-2012-6662, CVE-2016-7103 for jQuery UI).
Separately, every grades*.jsp wrapped its inline JS in
<rs:compressJs>, a JSP tag that the resource-server-utils maintainers
have already converted to a pass-through (@deprecated; minification
moved to esbuild) — the wrapper does nothing and clutters the markup.

Goal: bring CoursesPortlet onto the bedrock jQuery 4.0 + jquery-migrate
+ jquery-ui 1.14.2 (loaded by the parent skin) and remove the dead
compressJs wrappers, ahead of retiring the legacy ResourceServingWebapp
overlay.

Changes:
- courses-portlet-webapp/src/main/webapp/resources.xml: drop the
  /rs/jquery/1.9.1 and /rs/jqueryui/1.8.13 <js resource="true"> lines;
  add a comment recording the bedrock pin.
- courses-portlet-webapp/src/main/webapp/WEB-INF/jsp/degreeprogress/whatIf.jsp:
  drop the per-page jQuery 1.4.2 <script> tag. The script body's
  jQuery.noConflict(true) call now operates on the bedrock 4.0 instance
  and works through jquery-migrate.
- courses-portlet-webapp/src/main/webapp/WEB-INF/jsp/{final-grades,mycourses,myuwcourses}/grades*.jsp
  (6 files): remove the <rs:compressJs>...</rs:compressJs> wrappers
  around the inline JS. Body content unchanged.

Notes: the bundled plugins (jquery.timetable.js, jquery.log.js) use the
standard (function($){...})($) IIFE pattern — they keep working on
jQuery 4.0 via jquery-migrate. Not runtime-verified in this pass —
CoursesPortlet isn't in uPortal-start's overlay set; ships at the next
CoursesPortlet release.
@Naenyn
Copy link
Copy Markdown
Contributor

Naenyn commented May 8, 2026

I believe a little more needs to happen in order for this portlet to work properly with the resource-server updates:

The core issue is that CoursesPortlet's JavaScript still does jQuery.noConflict(true) which steals the global jQuery reference, and its resources.xml aggregates JS files (like jquery.log.js and debug.js) that reference bare jQuery — but no jQuery is actually bundled with the portlet anymore since the old overlay paths (rs/jquery/1.6.1/) don't exist in the current resource-server-content.

The pattern used by working portlets (like CalendarPortlet) is simple: they just use up.jQuery (the portal-provided jQuery) and don't try to bundle their own.

Here's what needs to happen in CoursesPortlet:

1. coursesPortlet.js — remove the noConflict(true) pattern and just use up.jQuery:

// Old (broken):
if (!coursesPortlet.jQuery) {
    coursesPortlet.jQuery = jQuery.noConflict(true);
}

// New:
if (!coursesPortlet.jQuery) {
    coursesPortlet.jQuery = up.jQuery;
}

2. debug.js — use up.jQuery instead of bare jQuery:

(function ($) {
    "use strict";
    $.debug(true);
}(up.jQuery));
3. jquery.log.js — same issue, the IIFE wraps with })(jQuery) at the bottom. Needs to be })(up.jQuery).

4. 

pom.xml
 — the overlay still references rs/jquery/1.6.1/ and rs/jqueryui/1.8.13/ which no longer exist. Those includes should be removed.

The PR's resources.xml comment says the old jQuery was removed, but the JS files weren't updated to stop expecting a bundled jQuery.

@Naenyn Naenyn self-requested a review May 8, 2026 00:36
Naenyn
Naenyn requested changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Naenyn Naenyn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see my comment here: #113 (comment)

@bjagg
chore(deps): drop resource-server-content overlay (lingering lodash +…
9df8b28 
… dead libs)

Problem: CoursesPortlet's webapp module declared a runtime <dependency>
on the resource-server-content WAR overlay plus a maven-war-plugin
<overlay> config that pulled in rs/jquery/1.6.1/ and rs/jqueryui/1.8.13/.
The overlay also unpacked the entire rs/* tree of legacy libraries
(lodash 4.17.4 with 4 known CVEs, underscore, backbone, modernizr,
normalize, plus jquery-plugins) into the WAR for nothing — none of
which any source file references after 677110b removed the legacy
jquery/jqueryui paths and the <rs:compressJs> wrappers.

Goal: drop the entire overlay (dep + maven-war-plugin extract).
Required jQuery is loaded by uPortal core's chrome via
/resource-server/webjars/jquery/...; CoursesPortlet's source no longer
reaches into /CoursesPortlet/rs/... or /ResourceServingWebapp/rs/...

Changes:
- courses-portlet-webapp/pom.xml: drop the runtime <dependency> on
  resource-server-content; drop the maven-war-plugin <overlay>
  config that extracted rs/jquery/1.6.1/ and rs/jqueryui/1.8.13/.
  resource-server-utils is unchanged (still provides the rs:* taglibs
  used elsewhere in the parent pom hierarchy).
- pom.xml (parent): drop the now-orphaned <dependencyManagement>
  entry for resource-server-content; no submodule pulls it any more.

Notes: paired with 677110b which did the source-side path swap +
<rs:compressJs> retirement. WAR size shrinks meaningfully; reviewers
can verify with `unzip -l courses-portlet-webapp/target/*.war | grep
'rs/'` returning empty.
@bjagg bjagg changed the title refactor(courses-portlet): drop legacy rs/jquery + retire <rs:compressJs> refactor: drop legacy rs/jquery + drop resource-server-content overlay May 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Naenyn Naenyn Naenyn requested changes

@ChristianMurphy ChristianMurphy ChristianMurphy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bjagg @Naenyn @ChristianMurphy