jQuery versions 3.1.1 and 3.1.0, both foundational JavaScript libraries for DOM manipulation, present subtle yet noteworthy differences for developers. Primarily, these distinctions appear within the development dependencies, showcasing the evolution of the tooling used to build and maintain the library itself.
In version 3.1.1, key updates include enhancements to code linting and styling, evidenced by the upgrade of grunt-eslint from version 18.1.0 to 19.0.0 and eslint-config-jquery from 0.1.6 to 1.0.0. These updates likely reflect efforts to enforce stricter code quality standards and potentially incorporate style guide improvements. Furthermore, commitplease sees an update from 2.3.1 to 2.6.1. The version update of sizzle from 2.3.0 to 2.3.3 may indicate resolved bugs or performance improvements in the selector engine. The update of promises-aplus-tests from 2.1.1 to 2.1.2 might indicate improvements in jQuery's promise implementation.
For developers using jQuery, these changes primarily signify a more refined and reliable codebase. While the core functionality remains consistent, the updated development dependencies suggest a commitment to code quality and adherence to modern JavaScript best practices. This translates to a more stable and predictable library for building interactive web applications. The updates in linting and commit practices contribute to a healthier development ecosystem around jQuery. While there are no breaking changes, the upgrade to version 3.1.1 is recommended for developers seeking the most polished and up-to-date experience.
All the vulnerabilities related to the version 3.1.1 of the package
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.