jQuery 1.11.3 and 1.11.2 represent closely related iterations of the widely-used JavaScript library, primarily focused on DOM manipulation, event handling, and AJAX interactions. Both versions share an identical core feature set, targeting broad compatibility and ease of use. Developers leveraging jQuery for simplifying cross-browser JavaScript development will find similar functionalities in either version. The descriptions, dependencies and devDependencies are esentially the same.
Key differences primarily lie in the release date and potentially, in subtle bug fixes and performance improvements that aren't explicitly documented within the package metadata. Version 1.11.3 was released on April 28, 2015, while version 1.11.2 came out on December 17, 2014. This suggests that 1.11.3 likely incorporates minor patches addressing issues discovered since the previous release and potential even internal dependecy upgrades.
For developers choosing between these two specific versions, opting for the newer 1.11.3 is generally recommended. While the functional distinctions might be negligible, the later version benefits from any incremental refinements made by the jQuery team. Both packages leverage the same suite of Grunt-based development tools for minification, linting, and testing. The authors URL reflects the version on 1.11.2. Ultimately, most users would be better served using the latest major version of jQuery available, to benefit from more substantial improvements, security updates, and new features.
All the vulnerabilities related to the version 1.11.3 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.