jQuery version 2.1.1 introduces subtle but potentially impactful changes compared to its predecessor, version 2.1.0, making it essential for developers to understand the distinctions before upgrading. Both versions maintain the core promise of jQuery: simplifying DOM manipulation, event handling, and AJAX interactions for web development. However, looking at the devDependencies, there are some key differences. Version 2.1.1 upgraded several grunt plugins grunt-bowercopy from 0.5.0 to 0.7.1, load-grunt-tasks from 0.2.0 to 0.3.0, grunt-jscs-checker from 0.2.6 to 0.4.1, grunt-contrib-jshint from 0.7.2 to 0.8.0 and grunt-contrib-uglify from 0.2.7 to 0.3.2. This signals an effort to enhance the build process of the library, possibly incorporating newer linting rules, more efficient minification techniques, and better dependency management. A notable addition in 2.1.1 is the inclusion of commitplease, a tool to validate commit messages, indicating a focus on maintaining code quality and adhering to conventional commits. Finally, the absence of shelljs and archiver from the devDependencies in 2.1.1 suggests changes in how jQuery is built or packaged for distribution. From a consumer point of view upgrading to 2.1.1 is advisable to benefit from the bug fixes, security improvements and the effort made to enhance the build process.
All the vulnerabilities related to the version 2.1.1 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.