Closed renovate[bot] closed 3 weeks ago
Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 3.x
releases. But if you manually upgrade to 3.x
then Renovate will re-enable minor
and patch
updates automatically.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
2
->3
GitHub Vulnerability Alerts
CVE-2020-11023
Impact
Passing HTML containing
<option>
elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e..html()
,.append()
, and others) may execute untrusted code.Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround this issue without upgrading, use DOMPurify with its
SAFE_FOR_JQUERY
option to sanitize the HTML string before passing it to a jQuery method.References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
CVE-2020-11022
Impact
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html()
,.append()
, and others) may execute untrusted code.Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround the issue without upgrading, adding the following to your code:
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
CVE-2015-9251
Affected versions of
jquery
interprettext/javascript
responses from cross-origin ajax requests, and automatically execute the contents injQuery.globalEval
, even when the ajax request doesn't contain thedataType
option.Recommendation
Update to version 3.0.0 or later.
CVE-2019-11358
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles
jQuery.extend(true, {}, ...)
because ofObject.prototype
pollution. If an unsanitized source object contained an enumerable__proto__
property, it could extend the nativeObject.prototype
.Release Notes
jquery/jquery (jquery)
### [`v3.5.0`](https://togithub.com/jquery/jquery/releases/tag/3.5.0): jQuery 3.5.0 Released! [Compare Source](https://togithub.com/jquery/jquery/compare/3.4.1...3.5.0) See the blog post: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and the upgrade guide: https://jquery.com/upgrade-guide/3.5/ **NOTE:** Despite being a minor release, this update includes a breaking change that we had to make to fix [a security issue](https://togithub.com/advisories/GHSA-gxr4-xjj5-5px2) ( [`CVE-2020-11022`](https://nvd.nist.gov/vuln/detail/CVE-2020-11022)). Please follow the blog post & the upgrade guide for more details. ### [`v3.4.1`](https://togithub.com/jquery/jquery/compare/3.4.0...3.4.1) [Compare Source](https://togithub.com/jquery/jquery/compare/3.4.0...3.4.1) ### [`v3.4.0`](https://togithub.com/jquery/jquery/compare/3.3.1...3.4.0) [Compare Source](https://togithub.com/jquery/jquery/compare/3.3.1...3.4.0) ### [`v3.3.1`](https://togithub.com/jquery/jquery/compare/3.3.0...3.3.1) [Compare Source](https://togithub.com/jquery/jquery/compare/3.3.0...3.3.1) ### [`v3.3.0`](https://togithub.com/jquery/jquery/compare/3.2.1...3.3.0) [Compare Source](https://togithub.com/jquery/jquery/compare/3.2.1...3.3.0) ### [`v3.2.1`](https://togithub.com/jquery/jquery/compare/3.2.0...3.2.1) [Compare Source](https://togithub.com/jquery/jquery/compare/3.2.0...3.2.1) ### [`v3.2.0`](https://togithub.com/jquery/jquery/compare/3.1.1...3.2.0) [Compare Source](https://togithub.com/jquery/jquery/compare/3.1.1...3.2.0) ### [`v3.1.1`](https://togithub.com/jquery/jquery/compare/3.1.0...3.1.1) [Compare Source](https://togithub.com/jquery/jquery/compare/3.1.0...3.1.1) ### [`v3.1.0`](https://togithub.com/jquery/jquery/compare/3.0.0...3.1.0) [Compare Source](https://togithub.com/jquery/jquery/compare/3.0.0...3.1.0) ### [`v3.0.0`](https://togithub.com/jquery/jquery/compare/2.2.4...3.0.0) [Compare Source](https://togithub.com/jquery/jquery/compare/2.2.4...3.0.0)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.