Why does MeteorJS still have such an old jQuery version (10 years old)?

a4xrbj1 · May 22, 2026, 3:45pm

Meteor’s jquery@3.0.2 (Jul 2016)
npm jquery@3.7.1 (Aug 2023)

Meteor’s is missing 7 years of security fixes (notably the 3.5 $.parseHTML XSS hardening), bug fixes, and selector improvements (:has(), etc.).

trusktr · May 24, 2026, 7:52pm

I think probably because no one cares? People don’t make new projects with jQuery these days. It may be needed only for the built-in login UIs, which are working perfectly fine.

You can simply ignore it, and don’t use it.

But! If you care strongly about it, a pull request may help…

$.parseHTML XSS hardening

IMO this is not a vulnerability, but a guard against people who are absolute beginners.

Advice for everyone: never accept random HTML from 3rd parties into your app without sanitizing it, period. Regardless if you use jQuery. Most apps never need to do this, unless they allow a user to customize their profile with custom HTML or similar. If you’re building an app that accepts arbitrary HTML, then of course you MUST always sanitize it and I wouldn’t rely on jQuery for that.

Meteor does not accept arbitrary HTML, so that’s not an issue with Meteor, unless you add that feature to an app yourself outside of Meteor’s defaults).

xet7 · May 27, 2026, 1:02am

@trusktr

I think probably because no one cares? People don’t make new projects with jQuery these days. It may be needed only for the built-in login UIs, which are working perfectly fine.

You can simply ignore it, and don’t use it.

But! If you care strongly about it, a pull request may help…

I use JQuery at WeKan, but it’s not new, I have maintained WeKan for 10 years. Currently WeKan is using Meteor 3.5-beta.10 .

$ cat package.json | grep jquery
    "@rwap/jquery-ui-touch-punch": "^1.0.11",
    "jquery": "^3.7.1",
    "jquery-ui": "^1.14.2",

$.parseHTML XSS hardening

XSS ? Do you mean DOMPurify?

github.com

wekan/wekan/blob/main/SECURITY.md#xss

## About Money: No bounty

There is no bounty, like described at [CONTRIBUTING.md](CONTRIBUTING.md),
because WeKan is NOT Big Tech. WeKan is FLOSS.

## Steps for Coordinated Vulnerability Disclosure

### 1. Security Researcher:

- **Report**: Please email details regarding security vulnerabilities to **security@wekan.fi**.
- **Proof of Concept (PoC)**: If possible, include a fix or a reproduction script/code.
- **Encryption**: An optional PGP key is available at [security-at-wekan.fi.asc](security-at-wekan.fi.asc).

### 2. WeKan Security Team:

- **Remediation**: Please wait for a new WeKan release that addresses the issue.
  Fixes are announced at the top of the [ChangeLog](https://github.com/wekan/wekan/blob/main/CHANGELOG.md).
- **Recognition**: We will acknowledge your contribution by adding you to our
  [Hall of Fame](https://wekan.fi/hall-of-fame/).
- **CVE Policy**: WeKan Security does not facilitate **CVE Coordination** due to

This file has been truncated. show original

github.com

wekan/wekan/blob/main/packages/markdown/src/template-integration.js

import DOMPurify from 'dompurify';
import MarkdownIt from 'markdown-it';
import * as markdownItEmoji from 'markdown-it-emoji';
import { getSecureDOMPurifyConfig } from './secureDOMPurify';
import { Blaze } from 'meteor/blaze';
import { HTML } from 'meteor/htmljs';
import { Template } from 'meteor/templating';

const Markdown = new MarkdownIt({
  html: true,
  linkify: true,
  typographer: true,
  breaks: true,
});

//import markdownItMermaid from "@wekanteam/markdown-it-mermaid";

// Static URL Scheme Listing
var urlschemes = [
  "aodroplink",

This file has been truncated. show original

dupontbertrand · May 27, 2026, 6:51am

Hello, FYI we added the possibility to remove jQuery entirely from Blaze here: https://github.com/meteor/blaze/pull/493

You’ll soon be able to remove it if you’re interested

But feel free to bump the JQ version

jkuester · May 27, 2026, 10:58am

@a4xrbj1 the Meteor jquery package version does not follow the versioning of the npm package. It is just a soft wrapper to make it easier for packages to use jquery as dependency without pining it to a specific NPM version. This means you can use whatever jquery you feel you need in your project via npm and add api.use('jquery@3.0.2') if your package needs to access jquery.