Crisp provides a live chat to help companies getting closer with people browsing their websites. This live chat service is enabled by embedding the Crisp JS SDK on their websites.
During a routine update on our JS SDK, two internal functions were wrongly renamed as
_ after the chatbox compression step. Those two functions are usually used for jQuery and Lodash, two very popular librairies.
This incident only affected website performance and didn't compromise security.
This incident affected some websites using jQuery and Lodash between 4:55pm CET and 5:37 CET.
All timestamps are CET
At 2023-02-13 4:55pm - The engineering team released a routine update on the chatbox JS SDK. This update used a minor update on UglifyJS, causing issues on Lodash and jQuery websites.
At 2023-02-13 5:28pm Our support team received a complain from a customer
At 2023-02-13 5:32pm A rollback is issued
At 2023-02-13 5:37pm The rollback is fully performed
At 2023-02-13 5:50pm A long-term patch is issued, preventing such issues from happing in the future
What was released, and how did it break?
What went wrong?
a_dummy_function is renamed to
We have a policy of forking and pining all the libraries being used by the Crisp JS SDK. As the latest patch made on UglifyJS was made on Oct 2022, the system considered the version as safe enough to be updated.
However, this UglifyJS version contains a bug using
$ as valid names.
How did we fix the issue?
A rollback was immediately applied and a long-term patch was issued by forcing our builder to lock the UglifyJS version.
We are embarrassed by this incident and deeply sorry of its effects on some websites using jQuery and Lodash.
We will update our build tools to perform tests on a wider range of frameworks and libraries.
You can contact any time our team via the Crisp Livechat Widget if you have any question.