Crisp Insights

Crisp Incident on the 13th of February

Antoine Goret -

Crisp chatbox broke some websites using jQuery and Lodash during 27 minutes on February 13th, 2023, due to an error coming from an external library named UglifyJS used for Javascript compression on the chatbox.

Crisp provides a live chat to help companies getting closer with people browsing their websites. This live chat service is enabled by embedding the Crisp JS SDK on their websites.

During a routine update on our JS SDK, two internal functions were wrongly renamed as $ and _ after the chatbox compression step. Those two functions are usually used for jQuery and Lodash, two very popular librairies.

This incident only affected website performance and didn't compromise security.

This incident affected some websites using jQuery and Lodash between 4:55pm CET and 5:37 CET.

Incident Timeline

All timestamps are CET

At 2023-02-13 4:55pm - The engineering team released a routine update on the chatbox JS SDK. This update used a minor update on UglifyJS, causing issues on Lodash and jQuery websites.

At 2023-02-13 5:28pm Our support team received a complain from a customer

At 2023-02-13 5:32pm A rollback is issued

At 2023-02-13 5:37pm The rollback is fully performed

At 2023-02-13 5:50pm A long-term patch is issued, preventing such issues from happing in the future

What was released, and how did it break?

What went wrong?

To optimize website performance, Crisp uses a system named UglifyJS. This builder is used to reduce the final Javascript file size of our chatbox. It works by automatically renaming javascript functions and variables with smaller names. For instance, a function named a_dummy_function is renamed to a .

We have a policy of forking and pining all the libraries being used by the Crisp JS SDK. As the latest patch made on UglifyJS was made on Oct 2022, the system considered the version as safe enough to be updated.

However, this UglifyJS version contains a bug using _ and $ as valid names.

How did we fix the issue?

A rollback was immediately applied and a long-term patch was issued by forcing our builder to lock the UglifyJS version.

Conclusion

We are embarrassed by this incident and deeply sorry of its effects on some websites using jQuery and Lodash.

We will update our build tools to perform tests on a wider range of frameworks and libraries.

You can contact any time our team via the Crisp Livechat Widget if you have any question.