jQuery 2.2.1 represents a minor version bump over its predecessor, jQuery 2.2.0, providing developers with a slightly refined and more stable version of this popular JavaScript library focused on DOM manipulation. Both versions share the same core functionality for simplifying tasks like HTML traversal, event handling, animation, and AJAX interactions. The essential value proposition for developers remains consistent, offering a cross-browser compatible toolkit to streamline front-end web development.
Analyzing the package data reveals that the core devDependencies remain entirely consistent between the two versions. This signifies that the toolchain and testing environment used for building and validating the library were identical. The key difference lies primarily in bug fixes and minor improvements implemented between the two releases.
Specifically, reviewing the release dates shows a little over a month period of development and stabilization. While a detailed list of changes is not exposed in the metadata, the bump from 2.2.0 to 2.2.1 suggests the changes implemented were meant to increase the overall stability and reliability of the library. The subtle changes introduced in jQuery 2.2.1 will likely be of interest to developers seeking the most dependable iteration of the 2.2.x series offering cumulative refinements on top of an already solid foundation. The upgrade delivers the assurance of using the most polished version of jQuery 2.2, free from any issues addressed since the previous release.
All the vulnerabilities related to the version 2.2.1 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.