You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+22-22Lines changed: 22 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,6 +2,28 @@
2
2
3
3
This repository contains unofficial end-of-life jQuery releases with vulnerabilities patched.
4
4
5
+
## Patched releases
6
+
7
+
In a perfect world, at least every MAJOR EOL jQuery release line would have a security-patched release. "Major" refers to the meaning of the term in [SemVer](https://semver.org/), thus releases that have breaking changes. The goal is to provide a patched version of jQuery for all major release lines to provide a path of least resistance for all downstream users to upgrade to a secure version jQuery with [no (or minimal) breaking changes](#but-what-about-breaking-changes).
8
+
9
+
| Status | jQuery version | jQuery-sec version | Branch | PR | Release | CVEs Patched |
> \*CVE-2015-9251 is not reproducible in `1.2.6` and `1.3.2`
23
+
24
+
> [!NOTE]
25
+
> The 3.x release line is currently supported by jQuery, so we have no need to provide patched versions of 3.x at this time. jQuery 3.5 introduced a breaking change, but it was necessary to fix CVE-2020-11022 and CVE-2020-11023. However, since these vulnerabilities are present in virtually all versions of jQuery, there would be no value in providing a patched version of 3.4 as it would need to include that breaking change anyway.
26
+
5
27
## Background
6
28
7
29
For one reason or another, various security issues have not been fixed or backported in older official jQuery release lines.
@@ -28,28 +50,6 @@ In some cases, it may be unavoidable that a security fix involves a breaking cha
28
50
- Additional unit/integration test coverage as needed to account for the changes
29
51
- A/B end-to-end acceptance tests against the unpatched and patched versions for all CVEs
30
52
31
-
## Patched releases
32
-
33
-
In a perfect world, at least every MAJOR EOL jQuery release line would have a security-patched release. "Major" refers to the meaning of the term in [SemVer](https://semver.org/), thus releases that have breaking changes. The goal is to provide a patched version of jQuery for all major release lines to provide a path of least resistance for all downstream users to upgrade to a secure version jQuery with [no (or minimal) breaking changes](#but-what-about-breaking-changes).
34
-
35
-
| jQuery version | jQuery-sec version | Branch | PR | Release | CVEs Patched |
> \*CVE-2015-9251 is not reproducible in `1.2.6` and `1.3.2`
49
-
50
-
> [!NOTE]
51
-
> The 3.x release line is currently supported by jQuery, so we have no need to provide patched versions of 3.x at this time. jQuery 3.5 introduced a breaking change, but it was necessary to fix CVE-2020-11022 and CVE-2020-11023. However, since these vulnerabilities are present in virtually all versions of jQuery, there would be no value in providing a patched version of 3.4 as it would need to include that breaking change anyway.
0 commit comments