jQuery 2.2.2 represents a minor update to the widely-used JavaScript library, building upon the foundation laid by version 2.2.1. Both versions share the core functionality that simplifies DOM manipulation, event handling, and AJAX interactions, making them essential tools for web developers aiming to create dynamic and interactive web experiences. Key features familiar to jQuery users are consistently present, including its versatile selector engine, extensive API for modifying HTML elements, and cross-browser compatibility.
A close look reveals that the underlying devDependencies-- tools critical for development and testing--remain identical between the two versions. This suggests that the changes incorporated in jQuery 2.2.2 likely focus on bug fixes, performance enhancements, or minor refinements to existing features rather than a substantial overhaul of the library's core architecture.
While the core functionalities remain consistent, developers should consider upgrading to jQuery 2.2.2 primarily to benefit from addressed issues, improved performance, and potential refinements that enhance the overall stability and reliability of their web applications. The updated release date indicates a more recent build, signifying an active maintenance cycle focused on delivering a polished and dependable library experience. Developers using jQuery within their projects are advised to consult the official jQuery changelog or release notes for specifics. The changelog highlights what was fixed in such version.
All the vulnerabilities related to the version 2.2.2 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.