Skip to content

fix(deps): update dependency jquery to v3 [security]#37113

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-jquery-vulnerability
Open

fix(deps): update dependency jquery to v3 [security]#37113
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-jquery-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Aug 2, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
jquery (source) ^2^3.0.0 age confidence

Potential XSS vulnerability in jQuery

CVE-2020-11023 / GHSA-jpcq-cgw6-v4j6

More information

Details

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N/E:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Cross-Site Scripting (XSS) in jquery

CVE-2015-9251 / GHSA-rmxg-73gg-4p98

More information

Details

Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.

Recommendation

Update to version 3.0.0 or later.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

XSS in jQuery as used in Drupal, Backdrop CMS, and other products

CVE-2019-11358 / GHSA-6c3j-c64m-qhgq

More information

Details

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from cbf92b0 to e2b45c6 Compare August 13, 2025 12:47
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from e2b45c6 to a89dd9e Compare August 19, 2025 15:38
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from a89dd9e to 87201c8 Compare August 31, 2025 09:52
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from 87201c8 to 0c6a8f7 Compare September 10, 2025 20:38
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from 0c6a8f7 to 029c106 Compare September 25, 2025 15:48
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 3bff323 to a49db97 Compare October 21, 2025 12:08
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from a49db97 to b9a6abb Compare November 10, 2025 23:57
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from b9a6abb to 82de12b Compare November 18, 2025 10:45
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from 82de12b to 78ec209 Compare December 3, 2025 15:45
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from 78ec209 to f62364d Compare December 31, 2025 15:52
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from f62364d to 1df5f8a Compare January 8, 2026 16:33
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from 1df5f8a to b24d77b Compare January 19, 2026 15:30
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from b24d77b to 0cc6305 Compare February 2, 2026 17:11
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 72b58ae to ca524d0 Compare February 17, 2026 15:24
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 4e4c22b to a214ff1 Compare March 5, 2026 15:48
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from a214ff1 to 02fcb8d Compare March 13, 2026 14:49
@renovate renovate Bot changed the title fix(deps): update dependency jquery to v3 [security] fix(deps): update dependency jquery to v3 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-jquery-vulnerability branch March 27, 2026 00:51
@renovate renovate Bot changed the title fix(deps): update dependency jquery to v3 [security] - autoclosed fix(deps): update dependency jquery to v3 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch 3 times, most recently from b5daef4 to a755e28 Compare April 1, 2026 17:18
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch from a755e28 to aa25ceb Compare April 8, 2026 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iloveagent57