jQuery 3.2.1 represents a minor iteration over its predecessor, jQuery 3.2.0, both maintaining the same core functionalities as a JavaScript library designed to simplify DOM manipulation. The key difference lies in the updated author URL in the package metadata; specifically, the reference to the AUTHORS.txt file within the GitHub repository reflects the version number (3.2.1 vs. 3.2.0). From a developer's perspective using jQuery, this change has no immediate impact on the library's behavior or the code written using it. Both versions share identical dependencies and devDependencies, including tools for testing (QUnit, Sinon), linting (ESLint), build processes (Grunt, Babel), and other utilities. This indicates stability in the development environment surrounding the jQuery library. The identical set of devDependencies ensures that the same toolchain and testing suite were used for both releases. The release dates indicate a relatively short period between versions; jQuery 3.2.1 appeared just days after jQuery 3.2.0. Developers relying on automated dependency updates should take note of these minor versions. When considering whether to update from 3.2.0 to 3.2.1, there's no compelling reason to upgrade. However, staying up-to-date often includes minor bug fixes or patches, so updating is a good practice. Otherwise, both version are very similar and offer the same JavaScript helper functionalities.
All the vulnerabilities related to the version 3.2.1 of the package
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.