jQuery 3.3.1 is a minor patch release following closely after jQuery 3.3.0, both maintaining the core functionality of this widely-used JavaScript library for DOM manipulation, event handling, and AJAX interactions. Developers familiar with jQuery will find the upgrade straightforward, as the fundamental API remains consistent between these versions. The primary difference lies in the dependencies: jQuery 3.3.0 lists npm, chalk, shelljs, and archiver as dependencies, while jQuery 3.3.1 has no declared dependencies. This suggests a possible change in how the library is built or packaged, potentially streamlining the installation process or resolving dependency-related issues.
Both versions extensively utilize various development dependencies, including tools for testing (Karma, QUnit, Sinon), build processes (Grunt, UglifyJS, Babel), and code quality (ESLint, JSONLint). This robust suite of dev dependencies signifies a commitment to maintaining a high standard of code quality and ensuring compatibility across different environments.The presence of tools like grunt-compare-size and gzip-js indicates a focus on optimizing the library's size, crucial for improving website loading times. If upgrading from a version prior to these, developers benefit from a modern build process with ES6 support and better test coverage ensuring a reliable and performant library.
All the vulnerabilities related to the version 3.3.1 of the package
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.