Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency jquery to v3.5.0 [security] #26

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 11, 2021

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
jquery (source) 3.4.0 -> 3.5.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-11023

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

CVE-2020-11022

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
	return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.


Release Notes

jquery/jquery (jquery)

v3.5.0: jQuery 3.5.0 Released!

Compare Source

See the blog post:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
and the upgrade guide:
https://jquery.com/upgrade-guide/3.5/

NOTE: Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue ( CVE-2020-11022). Please follow the blog post & the upgrade guide for more details.

v3.4.1

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from 575e0d0 to 029ce81 Compare March 7, 2022 08:48
@renovate renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from 029ce81 to 1b9dcec Compare April 24, 2022 19:00
@renovate renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from 1b9dcec to 675c7e5 Compare September 25, 2022 20:55
@renovate renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from 675c7e5 to 4a94327 Compare March 16, 2023 06:44
@renovate renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from 4a94327 to 22bbad0 Compare May 28, 2023 09:06
@renovate renovate bot changed the title chore(deps): update dependency jquery to v3.5.0 [security] chore(deps): update dependency jquery to v3.5.0 [security] - autoclosed Jul 17, 2023
@renovate renovate bot closed this Jul 17, 2023
@renovate renovate bot deleted the renovate/npm-jquery-vulnerability branch July 17, 2023 01:01
@renovate renovate bot changed the title chore(deps): update dependency jquery to v3.5.0 [security] - autoclosed chore(deps): update dependency jquery to v3.5.0 [security] Jul 17, 2023
@renovate renovate bot restored the renovate/npm-jquery-vulnerability branch July 17, 2023 03:43
@renovate renovate bot reopened this Jul 17, 2023
@renovate renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from 22bbad0 to c511aa8 Compare July 17, 2023 03:44
@renovate renovate bot force-pushed the renovate/npm-jquery-vulnerability branch from c511aa8 to 06c4905 Compare September 19, 2023 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants