yaml-import icon indicating copy to clipboard operation
yaml-import copied to clipboard
verified publisher icon rafamel

chore(deps): update dependency jquery to 3.5.0 [security]

Open renovate[bot] opened this issue 4 years ago • 1 comments

WhiteSource Renovate

This PR contains the following updates:

Package Change
jquery 3.4.1 -> 3.5.0

GitHub Vulnerability Alerts

CVE-2020-11022

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
	return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

CVE-2020-11023

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

renovate[bot] avatar Apr 26 '21 17:04 renovate[bot]

Coverage Status

Coverage remained the same at 98.089% when pulling a1039aa74f43df4f37a99edc8b82674d0d92132b on renovate/npm-jquery-vulnerability into a05b2b0fba14c86b47ca8ba6900147ff2cfaea0b on master.

coveralls avatar Apr 26 '21 17:04 coveralls