Issue
As of the 2021 March release for Jenkins LTS and CloudBees CI jQuery have been updated to secure version 3.5.x
.
As part of this change, the insecure plugins jquery
and jquery-detached
have been removed from all Jenkins-based CloudBees products
and are no longer part of CAP.
Please note that these two plugins are not automatically uninstalled in your instance because other plugins in your
installation may still have dependencies on them
Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
Resolution
Ensuring all plugins are updated to use jQuery 3.5.x
All CloudBees and CAP plugin have been updated to be compatible with and only use the secure version of jQuery that Jenkins is being updated to use, 3.5.x
.
To ensure these plugins are updated as needed to be on the updated jQuery version please be sure to enable CAP/Beekeeper and allow for automatic plugin updates on restart prior to updating your CloudBees CI version as explained in the documentation linked here..
Removing the unsecure plugins jquery
and jquery-detached
First you need to review the direct plugin usage by following How to determine if a plugin is in use.
Once done, you can try uninstalling them from the UI by going to <jenkins_url>/pluginManager/installed
.
It can happen that another plugin still needs jquery
or jquery-detached
, in this case a popup will indicate which plugin:
If this happens, you need to check whether a more recent version of the dependant plugin exists and update. If none exists and you are using the dependant plugin, then please contact the Support Team.