jQuery 3.1.0 presents a refined iteration over its predecessor, jQuery 3.0.0, offering developers a more polished experience for DOM manipulation and JavaScript interactions. While both versions share the core promise of simplifying web development with easy-to-use API, the evolution lies primarily in the tooling and development dependencies rather than fundamental feature additions.
A key distinction is the replacement of grunt-contrib-jshint with grunt-eslint and eslint-config-jquery for code linting. This indicates a shift towards more modern and configurable linting practices aligned with current JavaScript development standards, encouraging cleaner and more maintainable code. Additionally, grunt-eslint offers more flexibility in customizing linting rules, aligning better with team preferences and project requirements. The introduction grunt-contrib-jshint being dropped also reduces the number of direct dependencies, potentially leading to slightly faster installation times and a cleaner developer workflow.
Both versions maintain the MIT license, ensuring open-source usage, and rely on a robust suite of development tools like grunt for task automation, qunitjs for testing, and babel-preset-es2015 for ES6 compatibility. Developers upgrading from 3.0.0 to 3.1.0 should expect minimal disruption to their existing codebases, as the core API remains consistent. The change on the tooling provides a safer update since the core API remains the same. The update is more interesting for developers working on jQuery itself, rather than developers using it.
All the vulnerabilities related to the version 3.1.0 of the package
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.