Although the jQuery JavaScript library still in use, but it is no longer as popular as before. According to open-source security platform Snyk statistics, there are at least six tenths of sites affected by jQuery XSS vulnerabilities, and even to extend the jQuery library jQuery function also introduces more security issues.
Snyk released a 2019 safety report status JavaScript framework , the report mainly on two leading JavaScript framework (Angular and React) security clearance, but also investigate the security breach three other front-end JavaScript Ecosystem Project: Vue .js, Bootstrap and jQuery and so on.
The report shows that in the past 12 months, jQuery downloaded over 120 million times, the equivalent of downloads Vue.js (4000 million times) and Bootstrap (7900 million times) add up. In Snyk report, Vue.js four were found to have vulnerabilities, but have been repaired; Bootstrap contains seven cross-site scripting (XSS) vulnerabilities, three of which are disclosed in 2019, there are no safe way to repair or upgrade to avoid; but in jQuery, so far tracked affects all versions of six holes, four of which belonged to the middle-level cross-site scripting vulnerabilities, a moderate level of pollution loophole prototype (prototype pollution), the other is low level denial of service vulnerability.
Snyk report concluded that, if you use the following version 3.4.0 jQuery, is vulnerable to attack.
According W3Techs data, using jQuery v1.x sites accounted for 84%, which leads them there are four mid-level XSS vulnerability issues, use jQuery extensions (of which 13 have been identified vulnerabilities) will exacerbate this situation.
在 Snyk 报告中,jquery.js 是一个恶意包,过去 12 个月中被下载了 5444 次,它的严重程度与其他两个开源社区模块的恶意版本一样高( jquery-airload 322 次下载和 github-jquery-widget 232 次下载)。
报告还列出另外三个扩展库:jquery-mobile、jquery-file-upload 和 jquery-colorbox,虽然其中包含任意代码执行和跨站点脚本安全漏洞,且没有任何升级途径可修补这些漏洞,但它们还是在过去 12 个月中总共下载了 34 万次以上。
根据以上,目前 jQuery 仍有高下载量,原因可能如下:
- 目前它还有大量教程、现有网站及软件等都是使用
- jQuery 相关的插件非常丰富,很多新出的 js 框架也支持 jQuery
- 大量的程序员用过 jQuery,熟悉它的语法和功能,后期也会继续使用
参考:i-programmer