- Notifications
You must be signed in to change notification settings - Fork261
Security: jquery/api.jquery.com
Security
SECURITY.md
Please check which versions of the jQuery project you are using are currently supported.
- Thelatest released version of jQuery UI is supported.
- Thelatest released version of jQuery UI is supported, but jQuery UI supports multiple versions of jQuery. More information can be found athttps://jqueryui.com/.
- jQuery Mobile is no longer supported.
The jQuery instrastructure is maintained with puppet and the configuration is publicly available and documented athttps://github.com/jquery/infrastructure-puppet.
Content for individual sites can be found in their respective repositories. For example, the content for jquery.com is available athttps://github.com/jquery/jquery.com.
Search for the right repository athttps://github.com/jquery.
Please report security issuesprivately:
- Email:security@jquery.com
Do not file public GitHub issues for security problems.
When reporting, please include:
- Affected project/repo and version(s)
- Impact and component(s) involved
- Reproduction steps or PoC (if available)
- Your contact and preferred credit name
If you do not receive an acknowledgement of your report within6 business days, or if you cannot find a private security contact for the project, you mayescalate to the OpenJS Foundation CNA atsecurity@lists.openjsf.org.
If the project acknowledges your report but does not provide any further response or engagement within14 days, escalation is also appropriate.
Important:
- If the vulnerability is considered valid and accepted, a patch will be made for the latest jQuery version.
- If the vulnerability is deemed invalid, no further action is required.
We follow coordinated vulnerability disclosure:
- We will acknowledge your report, assess impact, and work on a fix.
- We aim to provide status updates at reasonable intervals until resolution.
- We will publish a security advisory (andCVE via the OpenJS CNA when applicable) once a fix or mitigation is available. We credit reporters by default unless you request otherwise.