Update dependency jquery to v3 [SECURITY] #15

renovate · 2021-04-26T17:01:01Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jquery (source)	`^2.2.1` -> `^3.5.0`

GitHub Vulnerability Alerts

CVE-2020-11023

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

CVE-2020-11022

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
	return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

CVE-2015-9251

Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.

Recommendation

Update to version 3.0.0 or later.

CVE-2019-11358

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Release Notes

jquery/jquery (jquery)

`v3.5.0`: jQuery 3.5.0 Released!

Compare Source

See the blog post:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
and the upgrade guide:
https://jquery.com/upgrade-guide/3.5/

NOTE: Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue ( CVE-2020-11022). Please follow the blog post & the upgrade guide for more details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot changed the title ~~Pin dependency jquery to v2.2.4 [SECURITY]~~ Pin dependency jquery to 2.2.4 [SECURITY] May 9, 2021

renovate bot changed the title ~~Pin dependency jquery to 2.2.4 [SECURITY]~~ Pin dependency jquery to v2.2.4 [SECURITY] May 15, 2021

renovate bot changed the title ~~Pin dependency jquery to v2.2.4 [SECURITY]~~ Pin dependency jquery to v [SECURITY] Mar 7, 2022

renovate bot changed the title ~~Pin dependency jquery to v [SECURITY]~~ Pin dependency jquery to v2.2.4 [SECURITY] Sep 25, 2022

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from b277a39 to 6511288 Compare November 20, 2022 15:33

renovate bot changed the title ~~Pin dependency jquery to v2.2.4 [SECURITY]~~ Update dependency jquery to v3 [SECURITY] Nov 20, 2022

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from 6511288 to 17a1c8f Compare March 27, 2023 16:53

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 78f1e66 to 335686f Compare June 1, 2023 16:09

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 3 times, most recently from b4f771c to ce7f0bc Compare June 14, 2023 02:27

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 3 times, most recently from e40fafe to 30de16e Compare June 22, 2023 23:11

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from b728be0 to 12d36f9 Compare July 1, 2023 00:46

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 4 times, most recently from 6ee7652 to 7cef7a4 Compare July 11, 2023 05:24

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 4 times, most recently from 6b70924 to 6ca7689 Compare July 21, 2023 05:18

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 4 times, most recently from f73ab92 to 5375429 Compare August 3, 2023 02:33

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from 5375429 to 83c0bef Compare August 9, 2023 20:56

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 3 times, most recently from 0b73017 to 495d9ec Compare May 3, 2024 05:23

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 3e3db64 to 7331b4a Compare May 10, 2024 05:43

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from dfcc4fe to a04b437 Compare May 23, 2024 11:49

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 4f99988 to 1e6e7f3 Compare June 6, 2024 05:40

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 6812947 to df11d2b Compare June 29, 2024 08:41

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 84d8a7d to c021bfe Compare July 15, 2024 05:55

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 4 times, most recently from a405863 to 4c99676 Compare July 29, 2024 05:20

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 783c069 to e970217 Compare October 11, 2024 02:35

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 9f960b9 to db11099 Compare October 31, 2024 05:42

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 7067a84 to 1cfac77 Compare December 6, 2024 05:29

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch 4 times, most recently from 545b966 to 04d0088 Compare December 25, 2024 20:35

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from 04d0088 to 2e515d2 Compare January 15, 2025 19:49

Update dependency jquery to v3 [SECURITY]

d8e260d

renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from 2e515d2 to d8e260d Compare January 17, 2025 03:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency jquery to v3 [SECURITY] #15

Update dependency jquery to v3 [SECURITY] #15

renovate bot commented Apr 26, 2021 •

edited

Loading

Update dependency jquery to v3 [SECURITY] #15

Are you sure you want to change the base?

Update dependency jquery to v3 [SECURITY] #15

Conversation

renovate bot commented Apr 26, 2021 • edited Loading

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

For more information

Impact

Patches

Workarounds

References

For more information

Recommendation

Release Notes

v3.5.0: jQuery 3.5.0 Released!

Configuration

renovate bot commented Apr 26, 2021 •

edited

Loading

`v3.5.0`: jQuery 3.5.0 Released!