jQuery 1.12.1 is a minor release in the 1.12.x stable branch of the popular JavaScript library, succeeding version 1.12.0. Both versions provide a robust foundation for DOM manipulation, event handling, and animation, simplifying front-end web development. Examining their metadata reveals virtually identical development dependencies, including tools like Grunt for task automation, jsdom for testing in a Node.js environment, and QUnit for unit testing.
The core functionality remains consistent between jQuery 1.12.0 and 1.12.1, suggesting that the latter primarily addresses bug fixes and refinements rather than introducing new features. Developers relying on the 1.12.x branch can expect a seamless transition, with the upgrade to 1.12.1 minimizing the risk of breaking changes. For those already using 1.12.0, the update to 1.12.1 is highly recommended due to its stabilization and potential performance improvements or security patches not visible in the metadata. New projects benefit from starting with the latest stable release (1.12.1 at the time), ensuring they are built on the most refined and secure baseline within the 1.12 series. Consider checking the jQuery change logs or release notes to understand the specific fixes included in the upgrade, if any are available.
All the vulnerabilities related to the version 1.12.1 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.