jQuery 3.4.1 represents a minor update to the widely-used JavaScript library, building upon version 3.4.0. Both versions maintain the core functionality of simplifying DOM manipulation, event handling, and AJAX interactions, making web development more efficient. A key change between the two versions lies within the author's details, specifically the URL pointing to the AUTHORS.txt file within the jQuery repository. This adjustment might reflect updated contributor information or maintenance of project metadata.
While dependency lists remain identical between the two versions, examining the "dist" section reveals subtle differences. jQuery 3.4.1, with a "releaseDate" of May 1st, 2019, has reported "unpackedSize" of 1295318, slightly bigger than the jQuery 3.4.0 released on April 10th, 2019 with an "unpackedSize" of 1293692. This minuscule increase in size hints at bug fixes, performance enhancements, or minor code tweaks implemented in the newer version. Developers considering an upgrade should note this small size change, as it may improve existing applications or even make minor bug fixed to the existing application, therefore it's recommended to update to the latest version. Regardless, both versions offer a stable and reliable foundation for building interactive web experiences. The update signifies the project's commitment to ongoing maintenance and refinement, ensuring developers have access to the best possible tools.
All the vulnerabilities related to the version 3.4.1 of the package
Potential XSS vulnerability in jQuery
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
This problem is patched in jQuery 3.5.0.
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.