Update dependency jquery-validation to v1.20.0 [SECURITY]

[chzauleck]

This PR contains the following updates:

Package	Change	Age	Confidence
jquery-validation (source)	1.19.3 -> 1.20.0

GitHub Vulnerability Alerts

CVE-2021-43306

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method

CVE-2022-31147

Summary

Incomplete fix of CVE-2021-43306: An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method.

CVE-2025-3573

Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary.

---

Regular expression denial of service in jquery-validation

CVE-2021-43306 / GHSA-j9m2-h2pv-wvph

More information

Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method

Severity

Low

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-43306
• https://github.com/jquery-validation/jquery-validation/pull/2428
• https://github.com/jquery-validation/jquery-validation/commit/69cb17ed774b427f7e2ffcdf197968231725c30e
• https://github.com/jquery-validation/jquery-validation
• https://research.jfrog.com/vulnerabilities/jquery-validation-redos-xray-211348

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

jquery-validation Regular Expression Denial of Service due to arbitrary input to url2 method

CVE-2022-31147 / GHSA-ffmh-x56j-9rc3

More information

Details

Summary

Incomplete fix of CVE-2021-43306: An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-ffmh-x56j-9rc3
• https://nvd.nist.gov/vuln/detail/CVE-2022-31147
• https://github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd
• https://github.com/jquery-validation/jquery-validation
• https://github.com/jquery-validation/jquery-validation/releases/tag/1.19.5

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

jquery-validation vulnerable to Cross-site Scripting

CVE-2025-3573 / GHSA-rrj2-ph5q-jxw2

More information

Details

Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-3573
• https://github.com/jquery-validation/jquery-validation/pull/2462
• https://github.com/jquery-validation/jquery-validation/commit/7a490d8f39bd988027568ddcf51755e1f4688902
• https://github.com/jquery-validation/jquery-validation
• https://security.snyk.io/vuln/SNYK-JS-JQUERYVALIDATION-5952285

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

jquery-validation/jquery-validation (jquery-validation)

v1.20.0

Compare Source

===================

Additional

• Fixed vinUS validation failing on valid vin numbers #​2460

Core

• Fixed race condition in remote validation rules #​2435
• Removed pending class from fields with an aborted request #​2436
• Fixed remote validation error tracking #​2242
• Added escapeHtml option to avoid XSS attacks via showLabel method #​2462

Demo

• Fixed minlength validation in ajaxSubmit-integration-demo.html #​2454

Localisation

• Improved required translation in pt_BR #​2445
• Added Hindi translation #​2453
• Added French currency translation #​2471

v1.19.5

Compare Source

===================

Chore

• Add CodeQL analysis 3d3c1fb

Core

• Fixed jQuery .submit() event shorthand deprecation notice #​2430
• Fixed ReDos vulnerability in url, and url2 validation 5bbd80d

Localisation

• Added periods to messages #​2266

v1.19.4

Compare Source

===================

Build

• Add License.md to zip tarball (#​2386)

Chore

• Updated build status badges (#​2424)
• Enabled stable bot (#​2425)

Core

• Fixed validation for input type="date" (#​2360)
• Wait for pendingRequests to finish before submitting form (#​2369)
• Fixed bug for Html Editors (#​2154) (#​2422)
• Fixed ReDoS vulnerability in URL2 validation (#​2428)

Test

• Switch from Travis to GitHub workflows (#​2423)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.