jQuery 2.1.3 is a minor version update to the popular JavaScript library primarily focused on DOM manipulation, animation, and AJAX interactions. Comparing it to the previous stable version, 2.1.2, the core functionalities remain largely the same, ensuring backward compatibility for existing projects. Developers leveraging jQuery for core tasks like selecting elements, manipulating the DOM, and handling events will find familiar ground.
However, delving into the devDependencies reveals subtle yet potentially impactful changes. The most notable difference is the addition of jsdom version 1.5.0 in 2.1.3. JSDOM provides a JavaScript implementation of the WHATWG DOM and HTML standards. It is likely used for testing purposes to simulate a web browser environment within the Node.js environment. This is an upgrade from existing solutions.
Furthermore, commitplease has been upgraded from version 1.7.0 to 2.0.0. This tool enforces commit message conventions, signifying a refinement in the development workflow and code quality control. Developers contributing to the jQuery project would need to adhere to the updated commit message format defined by Commitplease to ensure smooth integration of their contributions. While these changes primarily affect the development and testing environment, they contribute to a more robust and reliable library for end-users. If needing to debug a complex environment, the newer versions are potentially providing better tooling.
The underlying DOM manipulation and AJAX handling that define jQuery's utility remain consistent between the two versions. These subtle differences reflect improvements in the testing and development process, ultimately leading to a more robust and maintainable library.
All the vulnerabilities related to the version 2.1.3 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.