jQuery 3.4.0 Released

Posted on by

jQuery has a new release! It’s been a while since our last release, but we expect this to be the last minor release in the 3.x branch, and then we will move on to the overhaul that will be jQuery 4.0. But before we get to 4.0, we’re excited to share the bug fixes and improvements included in jQuery 3.4.0. Here are some of the highlights:

Performance improvement in .width and .height

When getting and setting dimensions, there were certain cases where this could cause layout thrashing, which basically means that the browser calculated layout more times than necessary. We fixed this in all browsers except IE, where it can’t be avoided.

nonce and nomodule support

To support adding script elements through methods like .html and .append, jQuery separates them and appends new script tags to load and execute the remote content. During this process, attributes such as nonce and nomodule were ignored, but jQuery 3.4.0 now hangs onto them.

Radio elements: expected state in event handlers

We had already fixed the same issue with checkboxes, but accidentally left out radio inputs. In the following example, true was logged the first time the element was clicked. We fixed it so that the checked property is updated before the event handler is executed.

Example

var $radios = jQuery(".example");
var $firstRadio = $radios.first();
var firstCheckedState = $firstRadio.prop("checked");
$radio.on("click", function() {
  // true in <3.4.0
  console.log($firstRadio.prop("checked") === firstCheckedState);
});
$radios.eq(1).click();

Minor vulnerability fix: Object.prototype pollution

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

Example

jQuery.extend(true, {},
  JSON.parse('{"__proto__": {"test": true}}')
);
console.log( "test" in {} ); // true

Note that while jQuery does its best to protect users from security vulnerabilities, jQuery is a DOM manipulation library that will generally do what you tell it to do. In this case, the behavior was likely unexpected, so jQuery.extend will no longer write any properties named __proto__. But guards such as this one are not replacements for good security practices such as user input sanitization.

Deprecating positional selectors and the sunset of Sizzle

The basic API of jQuery is to select something and then do something with what was selected. Sizzle, the selector engine in jQuery, handles the first half. It’s been a fast and efficient little engine that has paved the way for native selector APIs like querySelectorAll and additional native JavaScript and CSS selectors. Now that many of these selectors have made their way into modern browsers, it’s almost time to say goodbye to Sizzle. But in order to remove Sizzle in jQuery 4.0, we will also need to remove what we refer to as positional selectors, which are non-standard selectors.

Specifically, jQuery 3.4.0 is deprecating :first, :last, :eq, :even, :odd, :lt, :gt, and :nth. When we remove Sizzle, we’ll replace it with a small wrapper around querySelectorAll, and it would be almost impossible to reimplement these selectors without a larger selector engine.

We think this trade-off is worth it. Keep in mind we will still support the positional methods, such as .first, .last, and .eq. Anything you can do with positional selectors, you can do with positional methods instead. They perform better anyway.

Upgrading

There should be no compatibility issues if upgrading from jQuery 3.0+. If you haven’t yet upgraded to jQuery 3+, please have a look at the 3.0 Upgrade Guide. The jQuery Migrate 3.0 plugin will help you to identify compatibility issues in your code.

Please try out this new release and let us know about any issues you experienced.

Download

You can get the files from the jQuery CDN, or link to them directly:

https://code.jquery.com/jquery-3.4.0.js

https://code.jquery.com/jquery-3.4.0.min.js

You can also get this release from npm:

npm install jquery@3.4.0

Slim build

Sometimes you don’t need ajax, or you prefer to use one of the many standalone libraries that focus on ajax requests. And often it is simpler to use a combination of CSS and class manipulation for web animations. Along with the regular version of jQuery that includes the ajax and effects modules, we’ve released a “slim” version that excludes these modules. The size of jQuery is very rarely a load performance concern these days, but the slim build is about 6k gzipped bytes smaller than the regular version. These files are also available in the npm package and on the CDN:

https://code.jquery.com/jquery-3.4.0.slim.js

https://code.jquery.com/jquery-3.4.0.slim.min.js

These updates are already available as the current versions on npm and Bower. Information on all the ways to get jQuery is available at https://jquery.com/download/. Public CDNs receive their copies today, please give them a few days to post the files. If you’re anxious to get a quick start, use the files on our CDN until they have a chance to update.

Thanks

Thank you to all of you who participated in this release by submitting patches, reporting bugs, or testing, including abnud1, Jason Bedard, buddh4, Kris Borchers, Andrei Fangli, Oleg Gaidarenko, Richard Gibson, Michal Golebiowski-Owczarek, Marja Hölttä, Dave Methvin, Ed S, Luis Emilio Velasco Sanchez, Saptak Sengupta, tmybr11, Bert Zhang, and the whole jQuery team.

Changelog

GitHub changelog: Issues fixed in 3.4.0 | All changes

Ajax

Core

  • Use isAttached to check for attachment of element (662083ed)
  • Tiny efficiency fix to jQuery.extend / jQuery.fn.extend (#4246) (#4245, 4ffb1df8)
  • Preserve CSP nonce on scripts with src attribute in DOM manipulation (#4323, 00504037)
  • Preserve CSP nonce on scripts in DOM manipulation (#3541, c7c2855e)
  • Support passing nonce through jQuery.globalEval (#4278, 5bdc85b8)
  • Recognize Shadow DOM in attachment checks (#3504, 9b77def5)
  • Prevent Object.prototype pollution for $.extend( true, … ) (753d591a)

CSS

  • Ensure camel- vs kebab-cased names are not collapsed for CSS vars (f8c1e902)
  • Avoid filling jQuery.cssProps (#3986, 2b5f5d5e)
  • Correctly detect scrollbox support with non-default zoom (#4029, 821bf343)
  • Don’t auto-append “px” to CSS variables (#4064) (#4063, 75b77b48)
  • Skip the px-appending logic for animations of non-element props (f5e36bd8)
  • Avoid forcing a reflow in width/height getters unless necessary (#4322, a0abd15b)
  • Don’t read styles.position in the width/height cssHook unless necessary (#4185, 354f6036)
  • Don’t auto-append “px” to possibly-unitless CSS grid properties (#4007, f997241f)

Dimensions

  • fix computing outerWidth on SVGs (#3964, e743cbd2)
  • avoid fetching boxSizing when setting width/height – this avoids forcing a reflow in some cases (#3991, 73d7e625)
  • fall back to offsetWidth/Height for border-box in IE (#4102, 315199c1)

Event

  • Prevent leverageNative from double-firing focusin (fe5f04de)
  • Add “code” property to Event object (#3978, 899c56f6)
  • Leverage native events for focus/blur/click; propagate additional data (#1741, #3423, #3751, #4139, 669f720e)
  • Respect script nomodule attribute in DOM manipulation (#4281, e4de8b46)
  • Restore _evalUrl jQuery.ajax calls to dataType: script (13de7c9e)
  • Only evaluate HTTP-successful script src (#4126, c2026b11)

Manipulation

  • Properly detect HTML elements with single-character names (#4124, 979809c5)

Misc

  • Add config for lockbot (2348f399)
  • Update license prolog/epilog to placate Github checker (29e76e25)

README

  • add gitter badge to README.md (7869f83d)
  • Add FOSSA license scan status badge (45f08588)

Selector

Serialize

  • jQuery.param: return empty string when given null/undefined (#2633, 0645099e)

Traversing

Internal

  • Seasonal update of uglify and its options (09684ba3)
  • Remove unnecessary ESLint exception (dc05f3c1)
  • Run the basic test suite in jsdom (0ec25abb)
  • Remove manual QUnit fixture resetting (84b6a0be)
  • Make Promises/A+ tests use the dot reporter instead of the default (ca9356ec)
  • Update QUnit from 1.23.1 to 2.9.2 (6ced2639)
  • Run Karma browser tests on Node.js 10 instead of 8 (16ad9889)
  • Update jsdom; migrate a test with Symbol polyfill to an iframe test (9cb124ed)
  • Remove obsolete globals from ESLint configuration (c10945d0)
  • Update most dependencies (8751e9ef)
  • Update test code for compatibility with QUnit 2.x (#4297) (c3498187)
  • Advise to create test cases on JS Bin or CodePen, drop JSFiddle (da44ff39)