Skip to content

Update dependency jquery to v3.5.0 [SECURITY]#67

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-jquery-vulnerability
Open

Update dependency jquery to v3.5.0 [SECURITY]#67
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-jquery-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 15, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
jquery (source) 3.4.13.5.0 age confidence

Potential XSS vulnerability in jQuery

CVE-2020-11023 / GHSA-jpcq-cgw6-v4j6

More information

Details

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N/E:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

jquery/jquery (jquery)

v3.5.0: jQuery 3.5.0 Released!

Compare Source

See the blog post:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
and the upgrade guide:
https://jquery.com/upgrade-guide/3.5/

NOTE: Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue ( CVE-2020-11022). Please follow the blog post & the upgrade guide for more details.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title Update dependency jquery to v3.5.0 [SECURITY] Update dependency jquery to v3.5.0 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/npm-jquery-vulnerability branch April 27, 2026 18:10
@renovate renovate Bot changed the title Update dependency jquery to v3.5.0 [SECURITY] - autoclosed Update dependency jquery to v3.5.0 [SECURITY] Apr 28, 2026
@renovate renovate Bot reopened this Apr 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-jquery-vulnerability branch 2 times, most recently from 2f86a43 to 2e228bf Compare April 28, 2026 06:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants