You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+18-8Lines changed: 18 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,20 +22,30 @@ In some cases, it may be unavoidable that a security fix involves a breaking cha
22
22
23
23
## Acceptance criteria for patched releases
24
24
25
-
- Wherever possible, reuse the existing patch code from patched jQuery releases
26
-
- All existing passing tests must pass
25
+
- All CVEs for the release MUST be patched
26
+
- Wherever possible, reuse the existing patch code from patched official jQuery releases
27
+
- All existing passing tests MUST pass
27
28
- Additional unit/integration test coverage as needed to account for the changes
28
29
- A/B end-to-end acceptance tests against the unpatched and patched versions for all CVEs
29
30
30
-
## Available patched releases
31
+
## Patched releases
32
+
33
+
In a perfect world, at least every MAJOR EOL jQuery release line would have a security-patched release. "Major" refers to the meaning of the term in [SemVer](https://semver.org/), thus releases that have breaking changes. The goal is to provide a patched version of jQuery for all major release lines to provide a path of least resistance for all downstream users to upgrade to a secure version jQuery with [no (or minimal) breaking changes](#but-what-about-breaking-changes).
31
34
32
35
| jQuery version | jQuery-sec version | Branch | PR | Release |
| 1.6.4 | 1.6.5-sec |[1.6.5-sec][1.6.5-branch]|[PR][1.6.5-pr]| TODO |
35
-
36
-
### Future releases
37
-
38
-
In a perfect world, at least every MAJOR jQuery release line would have a security-patched release. "Major" refers to the meaning of the term in [SemVer](https://semver.org/), thus releases that have breaking changes. The goal is to provide a patched version of jQuery for all major release lines to provide a path of least resistance for all downstream users to upgrade to a secure version jQuery with [no (or minimal) breaking changes](#but-what-about-breaking-changes).
37
+
|`1.2.6`|`1.2.7-sec`||||
38
+
|`1.3.2`|`1.3.3-sec`||||
39
+
|`1.4.4`|`1.4.5-sec`||||
40
+
|`1.5.2`|`1.5.3-sec`||||
41
+
|`1.6.4`|`1.6.5-sec`|[1.6.5-sec][1.6.5-branch]|[PR][1.6.5-pr]| TODO |
42
+
|`1.7.2`|`1.7.3-sec`||||
43
+
|`1.8.3`|`1.8.4-sec`||||
44
+
|`1.12.4`|`1.12.5-sec`||||
45
+
|`2.2.4`|`2.2.5-sec`||||
46
+
47
+
> [!NOTE]
48
+
> The 3.x release line is currently supported by jQuery, so we have no need to provide patched versions of 3.x at this time. jQuery 3.5 introduced a breaking change, but it was necessary to fix CVE-2020-11022 and CVE-2020-11023. However, since these vulnerabilities are present in virtually all versions of jQuery, there would be no value in providing a patched version of 3.4 as it would need to include that breaking change anyway.
0 commit comments