Open renovate[bot] opened 4 years ago
CLAassistant
commented
4 years ago
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
renovate[bot]
commented
1 year ago Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
This PR contains the following updates:
3.4.1->3.5.0GitHub Vulnerability Alerts
CVE-2020-11023
Impact
Passing HTML containing
<option>elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e..html(),.append(), and others) may execute untrusted code.Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround this issue without upgrading, use DOMPurify with its
SAFE_FOR_JQUERYoption to sanitize the HTML string before passing it to a jQuery method.References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
CVE-2020-11022
Impact
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html(),.append(), and others) may execute untrusted code.Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround the issue without upgrading, adding the following to your code:
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Release Notes
jquery/jquery
### [`v3.5.0`](https://togithub.com/jquery/jquery/releases/tag/3.5.0): jQuery 3.5.0 Released! [Compare Source](https://togithub.com/jquery/jquery/compare/3.4.1...3.5.0) See the blog post: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and the upgrade guide: https://jquery.com/upgrade-guide/3.5/ **NOTE:** Despite being a minor release, this update includes a breaking change that we had to make to fix [a security issue](https://togithub.com/advisories/GHSA-gxr4-xjj5-5px2) ( [`CVE-2020-11022`](https://nvd.nist.gov/vuln/detail/CVE-2020-11022)). Please follow the blog post & the upgrade guide for more details.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.