jQuery 2.2.4 represents a minor version update from its predecessor, jQuery 2.2.3, within the established 2.x series. Both versions maintain jQuery's core mission as a versatile JavaScript library designed to simplify DOM manipulation, event handling, animation, and AJAX interactions across various web browsers. For developers already using the 2.x series, upgrading to 2.2.4 offers continuity and likely addresses specific bug fixes or minor performance enhancements, without introducing breaking changes to existing code.
The package metadata highlights a shared set of development dependencies between the two versions, including essential tools like Grunt for task automation, jsdom for testing in a Node.js environment, Sinon for creating test spies and stubs, and various Grunt plugins for code quality checks (jshint, jscs, jsonlint), minification (uglify), and more. This consistent toolchain ensures a stable development workflow and rigorous quality control.
The key differences reside primarily in the bug fixes and subtle improvements incorporated within the 2.2.4 release. While the exact nature of these targeted changes is not explicitly detailed in the provided metadata, the update suggests refinements that enhance the overall stability and reliability of the library. Developers should consult the official jQuery changelog for a comprehensive list of specific fixes and enhancements to determine if the update addresses any known issues or performance bottlenecks encountered in their projects. The release date difference shows that the new version's release happened ~1.5 months after the previous one.
All the vulnerabilities related to the version 2.2.4 of the package
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.
Update to version 3.0.0 or later.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.