jQuery 1.12.0, released in January 2016, represents a notable step forward from the preceding stable version, jQuery 1.11.3, released in April 2015. Both are foundational JavaScript libraries designed to simplify DOM manipulation, event handling, and AJAX interactions for web developers. However, examining their metadata reveals key differences in their development dependencies, indicating advancements in testing, code quality, and build processes.
jQuery 1.12.0 introduces several new development dependencies, including npm, jsdom, sinon, sizzle, core-js, qunitjs, grunt-babel, grunt-npmcopy, strip-json-comments, and qunit-assert-step, suggesting a focus on more comprehensive testing methodologies, potentially including server-side testing with jsdom, enhanced unit testing with sinon and qunitjs, and leveraging newer JavaScript features through grunt-babel. The inclusion of sizzle may suggest improvements or updates to jQuery's selector engine. Furthermore, the introduction of grunt-npmcopy points to a refined process for managing and copying npm dependencies during the build. Meanwhile, jQuery 1.11.3 relies on an older set of Grunt plugins for similar tasks, such as grunt-bowercopy (replaced by grunt-npmcopy in the newer version), and lacks some of the testing-focused dependencies found in 1.12.0. Developers considering an upgrade should evaluate the impact of these dependency changes, particularly if their build processes rely on specific versions of Grunt plugins. The updated development dependencies in 1.12.0 likely contribute to a more robust and modern development workflow, potentially leading to a more stable and performant library. Both version are licensed under MIT license, and provide similar functionalities for DOM manipulation.
All the vulnerabilities related to the version 1.12.0 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.