Skip to content

Commit a2ecba3

Browse files
ctcpipctcpip
committed
📝 update readme
1 parent 215bc81 commit a2ecba3

File tree

2 files changed

+28
-13
lines changed

2 files changed

+28
-13
lines changed

README.md

Lines changed: 22 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -32,17 +32,17 @@ In some cases, it may be unavoidable that a security fix involves a breaking cha
3232

3333
In a perfect world, at least every MAJOR EOL jQuery release line would have a security-patched release. "Major" refers to the meaning of the term in [SemVer](https://semver.org/), thus releases that have breaking changes. The goal is to provide a patched version of jQuery for all major release lines to provide a path of least resistance for all downstream users to upgrade to a secure version jQuery with [no (or minimal) breaking changes](#but-what-about-breaking-changes).
3434

35-
| jQuery version | jQuery-sec version | Branch | PR | Release |
36-
| -------------- | ------------------ | ------------------------- | -------------- | ------- |
37-
| `1.2.6` | `1.2.7-sec` | | | |
38-
| `1.3.2` | `1.3.3-sec` | | | |
39-
| `1.4.4` | `1.4.5-sec` | | | |
40-
| `1.5.2` | `1.5.3-sec` | | | |
41-
| `1.6.4` | `1.6.5-sec` | [1.6.5-sec][1.6.5-branch] | [PR][1.6.5-pr] | TODO |
42-
| `1.7.2` | `1.7.3-sec` | | | |
43-
| `1.8.3` | `1.8.4-sec` | | | |
44-
| `1.12.4` | `1.12.5-sec` | | | |
45-
| `2.2.4` | `2.2.5-sec` | | | |
35+
| jQuery version | jQuery-sec version | Branch | PR | Release | CVEs Patched |
36+
| -------------- | ------------------ | ----------- | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------ |
37+
| `1.2.6` | `1.2.7-sec` | [1.2.7-sec] | [PR][1.2.7-pr] | | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
38+
| `1.3.2` | `1.3.3-sec` | | | | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
39+
| `1.4.4` | `1.4.5-sec` | | | | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
40+
| `1.5.2` | `1.5.3-sec` | | | | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
41+
| `1.6.4` | `1.6.5-sec` | [1.6.5-sec] | [PR][1.6.5-pr] | | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
42+
| `1.7.2` | `1.7.3-sec` | | | | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
43+
| `1.8.3` | `1.8.4-sec` | | | | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
44+
| `1.12.4` | `1.12.5-sec` | | | | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023] |
45+
| `2.2.4` | `2.2.5-sec` | | | | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023] \| [CVE-2020-23064] |
4646

4747
> [!NOTE]
4848
> The 3.x release line is currently supported by jQuery, so we have no need to provide patched versions of 3.x at this time. jQuery 3.5 introduced a breaking change, but it was necessary to fix CVE-2020-11022 and CVE-2020-11023. However, since these vulnerabilities are present in virtually all versions of jQuery, there would be no value in providing a patched version of 3.4 as it would need to include that breaking change anyway.
@@ -55,5 +55,15 @@ See [security/README.md](./security/README.md)
5555

5656
Ultimately, our hope is that these patched versions can be approved and accepted by the official jQuery project/maintainers and deployed as official jQuery releases.
5757

58-
[1.6.5-branch]: https://github.com/ctcpip/jquery-security-patches/tree/1.6.5-sec
58+
[1.2.7-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.2.7-sec
59+
[1.2.7-pr]: https://github.com/ctcpip/jquery-security-patches/pull/2
60+
[1.6.5-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.6.5-sec
5961
[1.6.5-pr]: https://github.com/ctcpip/jquery-security-patches/pull/1
62+
[CVE-2011-4969]: https://github.com/advisories/GHSA-579v-mp3v-rrw5
63+
[CVE-2012-6708]: https://github.com/advisories/GHSA-2pqj-h3vj-pqgw
64+
[CVE-2015-9251]: https://github.com/advisories/GHSA-rmxg-73gg-4p98
65+
[CVE-2019-11358]: https://github.com/advisories/GHSA-6c3j-c64m-qhgq
66+
[CVE-2020-7656]: https://github.com/advisories/GHSA-q4m3-2j7h-f7xw
67+
[CVE-2020-11022]: https://github.com/advisories/GHSA-gxr4-xjj5-5px2
68+
[CVE-2020-11023]: https://github.com/advisories/GHSA-jpcq-cgw6-v4j6
69+
[CVE-2020-23064]: https://github.com/advisories/GHSA-257q-pv89-v3xv

security/README.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,11 @@
99

1010
Includes instructions only for how to run the tests on MacOS. (PRs welcome for instructions for other platforms!)
1111

12+
#### 1.2.6 / 1.2.7-sec
13+
14+
- Run `make test` from the root folder of the repo
15+
- Open `tests/index.html` in your browser
16+
1217
#### 1.6.4 / 1.6.5-sec
1318

1419
##### Prerequisites
@@ -20,7 +25,7 @@ Includes instructions only for how to run the tests on MacOS. (PRs welcome for i
2025

2126
- Checkout the branch of the version you are interested in, e.g. `1.6.5-sec`
2227
- Run php server from the root folder of the repo: `php -S 127.0.0.1:8000`
23-
- Open `tests/index.html` in your browser
28+
- Open `127.0.0.1:8000/tests/index.html` in your browser
2429

2530
## A/B end-to-end acceptance tests
2631

0 commit comments

Comments
 (0)