I have a question about the jquery version that is bundled with kendo UI. According to what I've read, there were several vulnerabilities in jquery that were patched in later jquery releases (CVE-2020-11022, CVE-2020-11023, CVE-2015-9251, CVE-2019-11358). Do these vulnerabilities exist in the jquery.min.js file that is included with the product download?
I saw a post here that said it was fixed for the ASP.NET AJAX version: https://www.telerik.com/forums/bundled-jquery-library-version-1-12-4-is-vulnerable
Did the MVC version also get this fix or was that just for ASP.NET AJAX?
I'm not sure if I should have posted this here or in the Kendo UI for jquery because we use the MVC helper and the jquery syntax for creating widgets.
1 Answer, 1 is accepted
Hello Matthew,
We haven't made changes to the version jQuery file (v1.12.4) that is included in our Kendo UI or MVC distributions. Our colleagues from the UI for ASP.NET AJAX team have modified the jQuery, because the UI for ASP.NET AJAX product relies on that particular version. However, for Kendo UI or UI for ASP.NET MVC that is not the case. These two products can be used with any compatible jQuery version. The latest versions of the Kendo UI for jQuery and UI for ASP.NET MVC products are compatible with jQuery: 1.12.4, 1.10.x, 2.2.x and 3.7.0. This means that instead of using the old 1.12.4 version of jQuery, you can instead reference a newer version, for example:
<script src="https://code.jquery.com/jquery-3.7.0.min.js" integrity="sha256-2Pmvv0kuTBOenSvLm6bvfBSSHrUJ+3A7x6P5Ebd07/g=" crossorigin="anonymous"></script>Be advised that we plan on removing the bundled old version of jQuery in one of the upcoming releases. After this change goes live, our bundle will no longer contain a jQuery file.
Regards,
Ivan Danchev
Progress Telerik
Stay tuned by visiting our public roadmap and feedback portal pages. If you're new to the Telerik family, be sure to check out our getting started resources, as well as the only REPL playground for creating, saving, running, and sharing server-side code.