jQuery has been downloaded more than 120 million times in the past 12 months, the sum of 40 million for Vue.js and 79 million for Bootstrap. Vue.js found four vulnerabilities that have been fixed.
Bootstrap found seven cross-site script vulnerabilities, three of which were disclosed in 2019 without security fixes. jQuery identified six security vulnerabilities affecting all versions, four for medium-risk cross-site scripting vulnerabilities, one for mid-range Prototype Pollution, and one for low-risk denial of service vulnerabilities.
Versions above jQuery 3.4.0 are not affected by the vulnerability. The jQuery ecosystem also found several malicious extension packages, including jquery.js, jquery-airload, github-jquery-widgets, jquery-mobile, jquery-file-upload, and jquery-colorbox, these packages have been downloaded in the past year from a few hundred to a few thousand.