fix(deps): update dependency jquery to v3 [security]#37113
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Open
fix(deps): update dependency jquery to v3 [security]#37113renovate[bot] wants to merge 1 commit intomasterfrom
renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
2 times, most recently
from
cbf92b0 to
e2b45c6
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
e2b45c6 to
a89dd9e
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
a89dd9e to
87201c8
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
87201c8 to
0c6a8f7
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
0c6a8f7 to
029c106
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
2 times, most recently
from
3bff323 to
a49db97
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
a49db97 to
b9a6abb
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
b9a6abb to
82de12b
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
82de12b to
78ec209
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
78ec209 to
f62364d
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
f62364d to
1df5f8a
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
1df5f8a to
b24d77b
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
b24d77b to
0cc6305
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-vulnerability
branch
from
0cc6305 to
72b58ae
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^2→^3.0.0GitHub Vulnerability Alerts
CVE-2020-11023
Impact
Passing HTML containing
<option>elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e..html(),.append(), and others) may execute untrusted code.Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround this issue without upgrading, use DOMPurify with its
SAFE_FOR_JQUERYoption to sanitize the HTML string before passing it to a jQuery method.References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
CVE-2020-11022
Impact
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html(),.append(), and others) may execute untrusted code.Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround the issue without upgrading, adding the following to your code:
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://jquery.com/upgrade-guide/3.5/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
CVE-2015-9251
Affected versions of
jqueryinterprettext/javascriptresponses from cross-origin ajax requests, and automatically execute the contents injQuery.globalEval, even when the ajax request doesn't contain thedataTypeoption.Recommendation
Update to version 3.0.0 or later.
CVE-2019-11358
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles
jQuery.extend(true, {}, ...)because ofObject.prototypepollution. If an unsanitized source object contained an enumerable__proto__property, it could extend the nativeObject.prototype.Release Notes
jquery/jquery (jquery)
v3.5.0: jQuery 3.5.0 Released!Compare Source
See the blog post:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
and the upgrade guide:
https://jquery.com/upgrade-guide/3.5/
NOTE: Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue (
CVE-2020-11022). Please follow the blog post & the upgrade guide for more details.v3.4.1Compare Source
v3.4.0Compare Source
v3.3.1Compare Source
v3.3.0Compare Source
v3.2.1Compare Source
v3.2.0Compare Source
v3.1.1Compare Source
v3.1.0Compare Source
v3.0.0Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.