Contrib.social

Remove Modernizr & yepnope Javascript libraries

Open on Drupal.org →
Created on 27 May 2025, 9 days ago

Problem/Motivation

I got the results of a site security scan for one of my Government of Canada clients, and this was in the feedback:

Replace Modernizr 2.8.3 -> 3.12.0 and remove yepnope.js

I don't have all of the details, but there must be already-known SAs for these, such as Upgrading lodash due to CVE-2021-23337. So I'm sure it's fine to talk about this in public.

I don't believe it's worth the trouble to upgrade it because it's not actually being used anymore:

I know this is fixed in the 6.x branch, but there's no stable release for that yet.

Steps to reproduce

1. Load a page on a WxT site.
1. Open the browser console.
1. Type:
* `typeof Modernizr`
1. If you get back `object`, the library is being loaded. If you get back `undefined`, it's not.

Proposed resolution

Remove it from the 5.x branch.

I don't know anything about front-end development (unless there's some way to manage it with Terraform), but this seems to get rid of it, placing this in `html/themes/contrib/wxt_bootstrap/wxt_bootstrap.info.yml`:

libraries-override:
  wxt_library/wet-boew:
    js:
      /libraries/wet-boew/js/wet-boew.min.js: false

This also has the happy side effect of removing `yepnope` as well.

📌 Task
Status

Active

Version

5.4

Component

WxT Bootstrap

Created by

🇨🇦Canada colan Toronto 🇨🇦

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @colan
  • Comment 9 days ago
    🇨🇦Canada colan Toronto 🇨🇦

    Moving to more appropriate project.

  • Comment 9 days ago
    🇨🇦Canada colan Toronto 🇨🇦

    Here's a Composer-friendly patch.

  • Comment 9 days ago
    🇨🇦Canada smulvih2 Canada 🍁

    Hey Colan, thanks for bringing this up! WxT 5.4.x uses wet-boew 4.0.75, and 6.1.x uses wet-boew 4.0.85, where these libraries are no longer bundled.

    This change prevents wet-boew JS from loading, so not a good change to add to wxt_bootstrap, although fine to use in your case if wet-boew is not needed. You could also disable wxt_library to prevent that library from loading in the first place. Could also update wet-boew in your composer.json file like this:

    "require": {
  "wet-boew/wet-boew": "4.0.85 as 4.0.75"
}

    Will be publishing 6.1.x shortly this week/weekend, just running through upgrade path testing.

  • Comment 8 days ago
    🇨🇦Canada colan Toronto 🇨🇦

    Thanks for the tip, but it looks like they weren't removed after running this, `ddev composer install`, clearing caches, and then reloading the page:

    ddev composer require "wet-boew/wet-boew:4.0.85 as 4.0.75"

    Not getting `undefined` when running these in the browser console:

    • typeof Modernizr
    • typeof yepnope

    So we'll stick with the big removal for now, unless there's a better option.

  • Comment 7 days ago
    🇨🇦Canada colan Toronto 🇨🇦

    @smulvih2: I'm reopening this because you may not see it otherwise.

    It turns out we are using some of this stuff so still need it.

    Upgrading `web-boew` did not remove the libraries. Could there be a bug there that's allowing these 2 libraries to still show up?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024