jQuery 3.5.1 Released: Fixing a Regression

Posted on by

I’ve never gotten to say this on a jQuery release, but May the 4th be with you! A short time ago in a galaxy exactly like this one, we released jQuery 3.5.0. We have a quick fix for a regression in that release.

Specifically, we had changed our internal data object to use Object.create( null ) instead of a plain object ({}). We did that to prevent collisions with keys on Object.prototype properties. However, this also meant that users (especially plugins) could no longer check what was in jQuery data with the native .hasOwnProperty() method, and it broke some code. We’ve reverted that change, but plan to put it back in jQuery 4.0. This change is the only code change in this release. Other changes include some minor updates to our docs and build system.

Security fixes in 3.5.0

jQuery 3.5.0 included fixes for two security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub. While we provided all of the details on the first issue in the jQuery 3.5.0 blog post, we did not provide all of the details on the second and would like to do that in this post.

The second issue was very similar to the first. It was an XSS vulnerability that had to do with passing <option> elements to jQuery’s DOM manipulation methods. Essentially, we’re using a regex to wrap <option> elements with <select> elements to ensure those elements get parsed correctly in old IE (IE <= 9 replaces any <option> tags with their contents when inserted outside of a <select> element).

Our fix is to only apply this code where it is needed. Fortunately, because of the different parsing behavior in IE9, we can keep the fix in IE9 without exposing it to the same vulnerability as other browsers. Please upgrade when you get a chance to avoid these vulnerabilities.


If you haven’t yet upgraded to jQuery 3.5, have a look at the 3.5 Upgrade Guide. If you haven’t yet upgraded to jQuery 3+, first have a look at the 3.0 Upgrade Guide. Also, the jQuery Migrate plugin will help you to identify compatibility issues in your code.

If you can’t yet upgrade to 3.5+, Daniel Ruf has kindly provided patches for previous jQuery versions. Please try out this new release and let us know about any issues you experienced.


You can get the files from the jQuery CDN, or link to them directly:



You can also get this release from npm:

npm install jquery@3.5.1

Slim build

Sometimes you don’t need ajax, or you prefer to use one of the many standalone libraries that focus on ajax requests. And often it is simpler to use a combination of CSS and class manipulation for web animations. Along with the regular version of jQuery that includes the ajax and effects modules, we’ve released a “slim” version that excludes these modules. The size of jQuery is very rarely a load performance concern these days, but the slim build is about 6k gzipped bytes smaller than the regular version. These files are also available in the npm package and on the CDN:



These updates are already available as the current versions on npm and Bower. Information on all the ways to get jQuery is available at https://jquery.com/download/. Public CDNs receive their copies today, please give them a few days to post the files. If you’re anxious to get a quick start, use the files on our CDN until they have a chance to update.


Thank you to all of you who participated in this release by submitting patches, reporting bugs, or testing, including Pierre Grimaud, Michal Golebiowski-Owczarek, Ed S, vanillajonathan, and the whole jQuery team.


Full changelog: 3.5.1


  • Test on Node.js 14, stop testing on Node.js 8 & 13 (205dd134)
  • Enable reportUnusedDisableDirectives in ESLint (b21d6710)
  • Updating the 3.x-stable version to 3.5.1-pre. (898784ab)




  • Workaround failures in recent XSS tests in iOS 8 – 12 (ea2d0d50)
  • Add tests for recently fixed manipulation XSS issues (58a8e879)
  • Cleanup `window` & `document` handlers in a new event test (c1c0598d)
  • Fix flakiness in the “jQuery.ajax() – JSONP – Same Domain” test (46ba70c5)