fix(deps): update dependency jquery to v4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jquery (source)	^2 → ^4.0.0

GitHub Vulnerability Alerts

CVE-2020-11023

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

CVE-2020-11022

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
	return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

CVE-2015-9251

Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.

Recommendation

Update to version 3.0.0 or later.

CVE-2019-11358

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

---

Release Notes

jquery/jquery (jquery)

v4.0.0

Compare Source

Changelog

https://blog.jquery.com/2026/01/17/jquery-4-0-0/

Ajax

• Don't treat array data as binary (992a1911)
• Allow processData: true even for binary data (ce264e07)
• Support binary data (including FormData) (a7ed9a7b)
• Support headers for script transport even when cross-domain (#​5142, 6d136443)
• Support null as success functions in jQuery.get (#​4989, 74978b7e)
• Don't auto-execute scripts unless dataType provided (#​4822, 025da4dd)
• Make responseJSON work for erroneous same-domain JSONP requests (68b4ec59)
• Execute JSONP error script responses (#​4771, a1e619b0)
• Avoid CSP errors in the script transport for async requests (#​3969, 07a8e4a1)
• Drop the json to jsonp auto-promotion logic (#​1799, #​3376, e7b3bc48)
• Overwrite s.contentType with content-type header value, if any (#​4119, 7fb90a6b)
• Deprecate AJAX event aliases, inline event/alias into deprecated (23d53928)
• Do not execute scripts for unsuccessful HTTP responses (#​4250, 50871a5a)
• Simplify jQuery.ajaxSettings.xhr (#​1967, abdc89ac)

Attributes

• Make .attr( name, false ) remove for all non-ARIA attrs (#​5388, 063831b6)
• Shave off a couple of bytes (b40a4807)
• Don't stringify attributes in the setter (#​4948, 4250b628)
• Drop the toggleClass(boolean|undefined) signature (#​3388, a4421101)
• Refactor val(): don't strip carriage return, isolate IE workarounds (ff281991)
• Don't set the type attr hook at all outside of IE (9e66fe9a)

CSS

• Fix dimensions of table <col> elements (#​5628, eca2a564)
• Drop the cache in finalPropName (640d5825)
• Tests: Fix tests & support tests under CSS Zoom (#​5489, 071f6dba)
• Fix reliableTrDimensions support test for initially hidden iframes (b1e66a5f)
• Selector: Align with 3.x, remove the outer selector.js wrapper (53cf7244)
• Make the reliableTrDimensions support test work with Bootstrap CSS (#​5270, 65b85031)
• Make offsetHeight( true ), etc. include negative margins (#​3982, bce13b72)
• Return undefined for whitespace-only CSS variable values (#​5120) (7eb00196)
• Don’t trim whitespace of undefined custom property (#​5105, ed306c02)
• Skip falsy values in addClass( array ), compress code (#​4998, a338b407)
• Justify use of rtrim on CSS property values (655c0ed5)
• Trim whitespace surrounding CSS Custom Properties values (#​4926, efadfe99)
• Include show, hide & toggle methods in the jQuery slim build (297d18dd)
• Remove the opacity CSS hook (865469f5)
• Workaround buggy getComputedStyle on table rows in IE/Edge (#​4490, 26415e08)
• Don't automatically add "px" to properties with a few exceptions (#​2795, 00a9c2e5)

Core

• Remove obsolete workarounds, update support comments (e2fe97b7)
• Switch $.parseHTML from document.implementation to DOMParser (0e123509)
• Fix the exports setup to make bundlers work with ESM & CommonJS (#​5416, 60f11b58)
• Add more info about named exports (5f869590)
• Simplify code post browser support reduction (93ca49e6)
• Move the factory to separate exports (46f6e3da)
• Use named exports in src/ (#​5262, f75daab0)
• Fix regression in jQuery.text() on HTMLDocument objects (#​5264, a75d6b52)
• Selector: Move jQuery.contains from the selector to the core module (024d8719)
• Drop the root parameter of jQuery.fn.init (d2436df3)
• Don't rely on splice being present on input (9c6f64c7)
• Manipulation: Add basic TrustedHTML support (#​4409, de5398a6)
• Report browser errors in parseXML (#​4784, 89697325)
• Make jQuery.isXMLDoc accept falsy input (#​4782, fd421097)
• Drop support for Edge Legacy (i.e. non-Chromium Microsoft Edge) (#​4568, e35fb62d)
• Fire iframe script in its context, add doc param in globalEval (#​4518, 4592595b)
• Exclude callbacks & deferred modules in the slim build as well (fbc44f52)
• Migrate from AMD to ES modules 🎉 (d0ce00cd)
• Use Array.prototype.flat where supported (#​4320, 9df4f1de)
• Remove private copies of push, sort & splice from the jQuery prototype (b59107f5)
• Implement .even() & .odd() to replace POS :even & :odd (78420d42)
• Deprecate jQuery.trim (#​4363, 5ea59460)
• Remove IE-specific support tests, rely on document.documentMode (#​4386, 3527a384)
• Drop support for IE <11, iOS <11, Firefox <65, Android Browser & PhantomJS (#​3950, #​4299, cf84696f)
• Remove deprecated jQuery APIs (#​4056, 58f0c00b)

Data

• Refactor to reduce size (805cdb43)
• Event:Manipulation: Prevent collisions with Object.prototype (#​3256, 9d76c0b1)
• Separate data & css/effects camelCase implementations (#​3355, 8fae2120)

Deferred

• Rename getStackHook to getErrorHook (#​5201, 258ca1ec)
• Respect source maps in jQuery.Deferred.exceptionHook (#​3179, 0b9c5037)
• Rename master to primary (a32cf632)

Deprecated

• Define .hover() using non-deprecated methods (fd6ffc5e)
• Remove jQuery.trim (0b676ae1)
• Fix AMD parameter order (f810080e)

Dimensions

• Add offset prop fallback to FF for unreliable TR dimensions (#​4529, 3bbbc111)

Docs

• Fix some minor issues in comments (e4d4dd81)
• update herodevs link in README (#​5695, 093e63f9)
• Align CONTRIBUTING.md with 3.x-stable (d9281061)
• Update CONTRIBUTING.md (4ef25b0d)
• add version support section to README (cbc2bc1f)
• Update remaining HTTP URLs to HTTPS (7cdd8374)
• Fix module links in the package README (ace646f6)
• update watch task in CONTRIBUTING.md (77d6ad71)
• Fix typos found by codespell (620870a1)
• remove stale gitter badge from readme (67cb1af7)
• Remove the "Grunt build" section from the PR template (988a5684)
• Remove stale badge from README (bcd9c2bc)
• Update the README of the published package (edccabf1)
• Remove git.io from a GitHub Actions comment (016872ff)
• Update webpack website in README (01819bc3)
• add link to patchwelcome and help wanted issues (924b7ce8)
• add link to preview the new CLAs (683ceb8f)
• Fix incorrect trac-NUMBER references (eb9ceb2f)
• remove expired links from old jquery source (#​4997) (ed066ac7)
• Remove links to Web Archive from source (#​4981, e24f2dcf)
• Replace #NUMBER Trac issue references with trac-NUMBER (5d5ea015)
• Update the URL to the latest jQuery build in CONTRIBUTING.md (9bdb16cd)
• Remove the CLA checkbox in the pull request template (e1248931)
• update irc to Libera and fix LAMP dead link (175db73e)
• Update Frequently Reported Issues in the GitHub issue template (7a6fae6a)
• Change JS Foundation mentions to OpenJS Foundation (11611967)
• add SECURITY.md, show security email address (2ffe54ca)
• Fix typos (1a7332ce)
• Update the link to the jsdom repository (a62309e0)
• Use https for hyperlinks in README (73415da2)
• Remove a mention of the event/alias.js module from README (3edfa1bc)
• Update links to EdgeHTML issues to go through Web Archive (1dad1185)
• direct users to GitHub docs for cloning the repo (f1c16de2)
• Change OS X to macOS in README (5a3e0664)
• Update most URLs to HTTPS (f09d9210)
• Convert link to Homebrew from HTTP to HTTPS (e0022f23)

Effect

• Fix a unnecessary conditional statement in .stop() (#​4374, 110802c7)

Effects

• Remove jQuery.fx.interval (6c2c7362)

Event

• Use .preventDefault() in beforeunload (7c123dec)
• Increase robustness of an inner native event in leverageNative (#​5459, 527fb3dc)
• Avoid collisions between jQuery.event.special & Object.prototype (bcaeb000)
• Simplify the check for saved data in leverageNative (dfe212d5)
• Make trigger(focus/blur/click) work with native handlers (#​5015, 6ad3651d)
• Simulate focus/blur in IE via focusin/focusout (#​4856, #​4859, #​4950, ce60d318)
• Don't break focus triggering after .on(focus).off(focus) (#​4867, e539bac7)
• Make focus re-triggering not focus the original element back (#​4382, dbcffb39)
• Don't crash if an element is removed on blur (#​4417, 5c2d0870)
• Remove the event.which shim (#​3235, 1a5fff4c)
• remove jQuery.event.global (18db8717)
• Only attach events to objects that accept data - for real (#​4397, d5c505e3)
• Stop shimming focusin & focusout events (#​4300, 8a741376)
• Prevent leverageNative from registering duplicate dummy handlers (eb6c0a7c)
• Fix handling of multiple async focus events (#​4350, ddfa8376)

Manipulation

• Make jQuery.cleanData not skip elements during cleanup (#​5214, 3cad5c43)
• Generalize a test to support IE (88690ebf)
• Support $el.html(selfRemovingScript) (#​5378) (#​5377, 937923d9)
• Extract domManip to a separate file (ee6e8740)
• Don't remove HTML comments from scripts (#​4904, 2f8f39e4)
• Respect script crossorigin attribute in DOM manipulation (#​4542, 15ae3614)
• Avoid concatenating strings in buildFragment (9c98e4e8)
• Make jQuery.htmlPrefilter an identity function (90fed4b4)
• Selector: Use the nodeName util where possible to save size (4504fc3d)

Offset

• Increase search depth when finding the 'real' offset parent (556eaf4a)

Release

• 4.0.0 (4f2fae08)
• remove dist files from main branch (c838cfb5)
• 4.0.0-rc.2 (97525193)
• Update AUTHORS.txt (c128d5d8)
• Fix release issues uncovered during the 4.0.0-rc.1 release (a5b0c431)
• remove dist files from main branch (9d06c6dd)
• 4.0.0-rc.1 (586182f3)
• Run npm publish in the post-release phase (ff1f0eaa)
• Only run browserless tests during the release (fb5ab0f5)
• Temporarily disable running tests on release (3f79644b)
• publish tmp/release/dist folder when releasing (#​5658, a865212d)
• correct build date in verification; other improvements (53ad94f3)
• remove dist files from main branch (be048a02)
• 4.0.0-beta.2 (51fffe9f)
• ensure builds have the proper version (3e612aee)
• set preReleaseBase in config file (1fa8df5d)
• fix running pre/post release scripts in windows (5518b2da)
• update AUTHORS.txt (862e7a18)
• migrate release process to release-it (jquery/jquery-release#114, 2646a8b0)
• add factory files to release distribution (#​5411, 1a324b07)
• use buildDefaultFiles directly and pass version (b507c864)
• copy dist-module folder as well (63767650)
• only published versioned files to cdn (3a0ca684)
• remove scripts and dev deps from dist package.json (7eac932d)
• update build command in Release.generateArtifacts (3b963a21)
• add support for md5 sums in windows (f088c366)
• remove the need to install grunt globally (b2bbaa36)
• upgrade release dependencies (967af732)
• Remove an unused chalk dependency (bfb6897c)
• Use an in-repository dist README fixture (358b769a)
• Update AUTHORS.txt (1b74660f)
• update AUTHORS.txt (cf9fe0f6)

Selector

• Remove the workaround for :has; test both on iPhone & iPad (65e35450)
• Properly deprecate jQuery.expr[ ":" ]/jQuery.expr.filters (329661fd)
• Make selector.js module depend on attributes/attr.js (#​5379, e06ff088)
• Eliminate selector.js depenencies from various modules (e8b7db4b)
• Re-expose jQuery.find.{tokenize,select,compile,setDocument} (#​5259, 338de359)
• Stop relying on CSS.supports( "selector(...)" ) (#​5194, 68aa2ef7)
• Backport jQuery selection context logic to selector-native (#​5185, 2e644e84)
• Make selector lists work with qSA again (#​5177, 09d988b7)
• Implement the uniqueSort chainable method (#​5166, 5266f23c)
• Re-introduce selector-native.js (4c1171f2)
• Manipulation: Fix DOM manip within template contents (#​5147, 3299236c)
• Drop support for legacy pseudos, test custom pseudos (8c7da22c)
• Use jQuery :has if CSS.supports(selector(...)) non-compliant (#​5098, d153c375)
• Remove the "a:enabled" workaround for Chrome <=77 (c1ee33ad)
• Make empty attribute selectors work in IE again (#​4435, 05184cc4)
• Use shallow document comparisons in uniqueSort (#​4441, 15750b0a)
• Add a test for throwing on post-comma invalid selectors (6eee5f7f)
• Make selectors with leading combinators use qSA again (ed66d5a2)
• Use shallow document comparisons to avoid IE/Edge crashes (#​4441, aa6344ba)
• reduce size, simplify setDocument (29a9544a)
• Leverage the :scope pseudo-class where possible (#​4453, df6a7f7f)
• Bring back querySelectorAll shortcut usage (cef4b731)
• Inline Sizzle into the selector module (47835965)
• Port Sizzle tests to jQuery (79b74e04)

Support

• ensure display is set to block for the support div (#​4832, 09f25436)

Tests

• Fix the "outside view position" test in Headless Chrome (23d72cb1)
• Fix selector tests in Chrome 141 (25a1b080)
• Increase nomodule test timeout for IE from 1s to 5s (5eab0a3c)
• Fix module/nomodule tests flakiness (5964acf3)
• Use releases.jquery.com as external host for AJAX testing (f21a6ea6)
• Fix tests for jQuery.get( String, null-ish, null-ish, String ) (05325801)
• Add tests for jQuery.get( String, null-ish, null-ish, String ) (76687566)
• Backport the hidden="until-found" attr tests from 3.x-stable (3a31866b)
• migrate test runner to jquery-test-runner (733e62d2)
• Add custom attribute getter tests to the selector module (44667709)
• Switch to an updated fork of promises-aplus-tests (559bc5ac)
• Run tests in Edge in IE mode in GitHub Actions (6d78c076)
• Run tests on both real Firefox ESRs (4b7ecbad)
• align mock.php spacing with 3.x-stable branch (d5ae14f6)
• replace dead links in qunit fixture (dbc9dac7)
• replace express with basic Node server (c85454a8)
• remove unnecessary scroll feature test (ea31e4d5)
• Align :has selector tests with 3.x-stable (f2d9fde5)
• revert concurrency group change (fa73e2f1)
• include github ref in concurrency group (5880e027)
• Make the beforeunload event tests work regardless of extensions (399a78ee)
• share queue/browser handling for all worker types (284b082e)
• improve diffing for values of different types (b9d333ac)
• show any and all actual/expected values (f80e78ef)
• add diffing to test reporter (44fb7fa2)
• add actual and expected messages to test reporter (1e84908b)
• fix worker restarts for failed browser acknowledgements (fedffe74)
• add --hard-retries option to test runner (822362e6)
• fix cleanup in cases where server doesn't stop (0754d596)
• fix flakey message logs; ignore delete worker failures (02d23478)
• reuse browser workers in BrowserStack tests (#​5428) (95a4c94b)
• Use allowlist instead of whitelist (2b97b6bb)
• migrate testing infrastructure to minimal dependencies (dfc693ea)
• Fix Karma tests on Node.js 20 (d478a1c0)
• Disable the ":lang respects escaped backslashes" test (#​5271, 62b9a258)
• Indicate Chrome 112 & Safari 16.4 pass the cssHas support test (89ef81f8)
• Test AJAX deprecated event aliases properly (cff28998)
• Indicate Firefox 106+ passes the cssSupportsSelector test (716130e0)
• Remove a workaround for a Firefox XML parsing issue (e7ffe1f1)
• Fix the link to QUnit CSS file (8cf39b78)
• Exclude tests based on compilation flags, not API presence (#​5069, fae5fee8)
• Workaround an XML parsing bug in Firefox (af1cd6f2)
• lock colors version to 1.4.0 (9603b3c8)
• Skip ETag AJAX tests on TestSwarm (00c060d1)
• Allow statusText to be "success" in AJAX tests (19ced963)
• Make Karma browser timeout larger than the QUnit one (4fd6912b)
• Don't remove csp.log in the cspClean action of mock.php (1019074f)
• Load the TestSwarm listener via HTTPS (d225639a)
• Switch background image from online file to local 1x1.jpg (482f8462)
• Strip untypical callback parameter characters from mock.php (a7027463)
• Make more tests run natively in Chrome & Firefox (50e8e846)
• Fix tests for not auto-executing scripts without dataType (d38528b1)
• Recognize callbacks with dots in the Node.js mock server (df6858df)
• Skip the "jQuery.ajax() on unload" test in Safari (c18dc496)
• Remove an unused local variable (82b87f6f)
• Remove remaining obsolete jQuery.cache references (d96111e1)
• Workaround failures in recent XSS tests in iOS 8 - 12 (11066a9e)
• Add tests for recently fixed manipulation XSS issues (dc06d68b)
• Use only one focusin/out handler per matching window & document (9b732043)
• Fix flakiness in the "jQuery.ajax() - JSONP - Same Domain" test (7b0864d0)
• Pass a number of necessary done() calls to assert.async() (364476c3)
• Remove obsolete jQuery data tests (eb35be52)
• Skip a "width/height on a table row with phantom borders" test in Firefox (a612733b)
• Don't test synchronous XHR on unload in Chrome (323575fb)
• Stop using jQuery.find in tests (1d624c10)
• Port changes from Sizzle (ac5f7cd8)
• Fix a comment in testinit.js (7bdf307b)
• update npo.js and include unminified source instead (b334ce77)
• Restrict an event test fallback to TestSwarm (bde53edc)
• Fix the new focusin/focusout test in IE (6f2fae7c)
• Fix the core-js polyfill inclusion method (2e4b79ab)

Traversing

• Fix contents() on <object>s with children in IE (ccbd6b93)
• Fix contents() on <object>s with children (#​4384, 4d865d96)

Upgrade

• Bump actions/setup-node from 3.3.0 to 3.4.1 (78321f07)
• set up periodic code scanning analysis (39c5778c)
• updated the vulnerability reporting process and added escalation steps (02cf4ee0)

v3.7.1: jQuery 3.7.1 Released: Reliable Table Row Dimensions

Compare Source

https://blog.jquery.com/2023/08/28/jquery-3-7-1-released-reliable-table-row-dimensions/

v3.7.0: jQuery 3.7.0: Staying in Order

Compare Source

https://blog.jquery.com/2023/05/11/jquery-3-7-0-released-staying-in-order/

v3.6.4: jQuery 3.6.4 Released: Selector Forgiveness

Compare Source

https://blog.jquery.com/2023/03/08/jquery-3-6-4-released-selector-forgiveness/

v3.6.3: jQuery supports CSS.supports in jQuery 3.6.3

Compare Source

https://blog.jquery.com/2022/12/20/jquery-3-6-3-released-a-quick-selector-fix/

v3.6.2: jQuery 3.6.2 :has arrived!

Compare Source

https://blog.jquery.com/2022/12/13/jquery-3-6-2-released/

v3.6.1: jQuery 3.6.1 Maintenance Release

Compare Source

https://blog.jquery.com/2022/08/26/jquery-3-6-1-maintenance-release/

v3.6.0: jQuery 3.6.0 Released!

Compare Source

https://blog.jquery.com/2021/03/02/jquery-3-6-0-released/

v3.5.1

Compare Source

v3.5.0: jQuery 3.5.0 Released!

Compare Source

See the blog post:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
and the upgrade guide:
https://jquery.com/upgrade-guide/3.5/

NOTE: Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue ( CVE-2020-11022). Please follow the blog post & the upgrade guide for more details.

v3.4.1

Compare Source

v3.4.0

Compare Source

v3.3.1

Compare Source

v3.3.0

Compare Source

v3.2.1

Compare Source

v3.2.0

Compare Source

v3.1.1

Compare Source

v3.1.0

Compare Source

v3.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 4.x releases. But if you manually upgrade to 4.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.