jQuery 2.2.0 represents an iteration upon the solid foundation of jQuery 2.1.4, bringing a refreshed set of development dependencies and tooling updates geared towards a smoother development experience for contributors and potentially subtle performance improvements for end-users. While the core functionality, centered around DOM manipulation, remains consistent, the shift in the development environment is significant.
Notable updates in the newer version include upgrades to essential build and testing tools. For instance, tools like grunt, jsdom, and requirejs are updated, likely reflecting improvements in testing and build automation processes. The introduction of tools like grunt-babel indicates a potential move towards utilizing modern JavaScript features during development, transpiling down to compatible code for broader browser support ultimately leading to more maintainable and efficient code. Changes in tools like strip-json-comments and grunt-jsonlint ensure higher code quality and maintainability.
The upgrade from 2.1.4 to 2.2.0 demonstrates the project's commitment to leveraging current best practices in web development. For developers employing jQuery, the core methods and selectors remain familiar. A potential benefit of using a modern version is a higher degree of compatibility with contemporary build pipelines and testing frameworks. However, developers should review the changes in development dependencies if they contribute to jQuery or build custom plugins or extensions based on the project's source code. As with any minor version update, testing your existing jQuery code with the updated library is advised to ensure smooth operation.
All the vulnerabilities related to the version 2.2.0 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.