Skip to main content


OpenJS Foundation Warns Consumer Privacy and Security at Risk in Three-Quarters of a Billion Websites

By Announcement, Blog, jQuery, jQuery Security

OpenJS Foundation reports poor security practices across industries in North America, UK and Europe

SAN FRANCISCO – November 1, 2023 – Global web infrastructure is in a precarious position based on new research by the OpenJS Foundation thanks to an OpenSSF grant.

The OpenJS Foundation is announcing the results of an end-user audit based on an IDC survey that shows three-quarters of a billion websites are running out of date software, with most capturing personal and financial information. Over one-third of respondents confirm having experienced a security incident in the last 24 months.

The OpenJS Foundation analyzed the IDC survey results of this end-user audit and other data points and estimated that of the 1.9 billion websites worldwide, almost 90% use the open source software jQuery, and one-third of those, over three-quarters of a billion sites, require an upgrade. Due to the size of the problem, the OpenJS Foundation suggests that a behavioral change to web security is required.

Key findings:

  • 89% of random survey respondents reported knowing the use of jQuery on their internet-facing websites
  • 80% of these organizations capture vital information such as personal identifiable information (PII), including payment information (52%) location (64%), contact information (80%)
  • Websites are essential or high priority for 85% of respondents
  • The business damage from security incidents is severe with 28% reporting loss of customers and 29% reporting loss of revenue. Additionally, 39% reported regulatory violations, and 45% reported brand damage
  • Better security is the #1 motivation for upgrading for 48% of respondents

The end-user audit conducted by IDC surveyed more than 500 people in 23 industries across North America, UK and Europe, representing small, medium and large organizations. 

It is the responsibility of business owners and developers to make their websites secure. Getting actionable information is a key part of the process. Keeping packages up to date is an important way to improve security. Any one package may not be a site’s main security issue and packages can be abused, or used in ways that open up security problems.

Al Gillen, group vice president, Software Development and Open Source IDC, IDC, in a blog post published today on the OpenJS Foundation blog, states: “The take-away from this study is simple: jQuery users have access to a robust, community-supported technology that is free from subscription costs for them to acquire or use, and this project is seeing continual investment and enhancement. Users are already enjoying considerable benefits from the technology, but if you are not using current versions, you owe it to your business to move forward to a supported version to maximize the benefit and minimize any potential risks.” Full IDC blog post is available here.

“There’s a big problem when three-quarters of a billion websites need an upgrade of just one open source project. It leads us to believe companies are using more outdated and unsupported technologies and potentially putting consumers at risk,” said Robin Bender Ginn, executive director of OpenJS Foundation. “To solve a problem of this scale, we need to start thinking about regular assessments of website technology, similar to how people visit their doctor every year for a physical medical checkup.” 

As a result of the study, the OpenJS Foundation is developing a free Healthy Web checkup tool. It will be provided widely to businesses and organizations around the world. The OpenJS Foundation is also seeking to partner with governments, businesses, and consumer advocacy organizations to better the health of the global web economy. 

jQuery made web page development approachable to everyone, but has led to millions of websites remaining on older, unsupported versions. Even as the jQuery Team releases security fixes, these sites often don’t update and remain vulnerable. 

The IDC survey, the Healthy Web checkup tool, and many security improvements were funded by an Alpha-Omega grant. As an associated project of the Open Source Security Foundation, Alpha-Omega’s mission is to catalyze sustained security improvements to the most critical open source software and ecosystems. 

“Many of our engagements start with an audit and then fund security fixes. This situation called for a different approach and we were keen to help,” said Bob Callaway, co-lead of the Alpha-Omega project and engineering manager of Google’s Open Source Security Team. “The Healthy Web checkup tool will be an innovative solution to a thorny problem,” he added. “This problem is not unique to jQuery. We’re hopeful this work can be extended to help everyone understand and mitigate the global risk.” 

“Secure open source software is a public good,” said Omkhar Arasaratnam, general manager of the Open Source Software Foundation (OpenSSF). “We applaud the OpenJS Foundation for making the web more secure through the OpenJS Healthy Web checkup.”

The OpenJS Healthy Web checkup tool takes 5 seconds and currently only checks the version of jQuery. It is a great indicator of whether or not organizations have implemented security practices because of how ubiquitous it is and how easy it is to test.

“The first step to improve the health of your website is to find out if your technology stack needs to be upgraded,” said Michał Gołębiowski-Owczarek, jQuery Core Team member and Senior Staff Software Engineer at Sumo Logic. “We’re constantly improving the security and performance of jQuery and ask people to check the versions of software used on their sites either with the upcoming Healthy Web checkup tool from the OpenJS Foundation or their own assessment.” 

“It is everyone’s responsibility to make their own websites secure. That’s not always a simple task, but ensuring packages are up to date can be a good place to start,” said Timmy Willison, Team Lead for jQuery Core and Lead Front-End Engineer at “The jQuery Team is pleased to work with the OpenJS Foundation as a part of this Healthy Web checkup campaign. Please join with us and the OpenJS Foundation to help improve the health of the consumer web.” 

“Consumer-facing software requires regular maintenance. Checking for updates from packages like jQuery and keeping your website secure is essential. The open web plays such an important role in modern life,” said Timo Tijhof, Infrastructure Lead for jQuery and Principal Engineer at the Wikimedia Foundation. “Like going to a doctor for regular checkups, auditing your website regularly is key to good web health. Please do your part!”

The OpenJS Foundation is assessing expanding the checkup tool to include additional open source JavaScript projects critical to the health of the web.

The OpenJS Healthy Web checkup tool is currently in beta and limited for use by technical evaluators and OpenJS members. General availability is planned for early 2024. OpenJS Foundation is actively seeking partner organizations to join in this important effort.

The new IDC study is freely available: The Benefit of Modernizing jQuery Deployments

OpenJS Resources

To learn more about how you could be a part of the OpenJS Foundation, click here.

About OpenJS Foundation

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 35 open source JavaScript projects including Appium, Electron, Jest, jQuery, Node.js, and webpack and is supported by 26 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Microsoft, and the Sovereign Tech Fund. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value. 

About Alpha-Omega

Alpha-Omega is an associated project of the OpenSSF, established in February 2022, funded by Microsoft, Google, and Amazon, and with a mission to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems, trying to build a world where critical open source projects are secure and that security vulnerabilities are found and fixed quickly. For more information please visit the Alpha-Omega website.

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at 

About Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1000 members and is the world’s leading home for collaboration on open source software, open standards, and open hardware. Linux Foundation projects like Linux, Kubernetes, Node.js and more are considered critical to the development of the world’s most important infrastructure. Its development methodology leverages established best practices and addresses the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit their website.

This post was originally published on PR Newswire.

Better Features and Operational Benefits Come with Current jQuery Use

By Blog, jQuery, jQuery Security

Sponsored guest post by Al Gillen, International Data Corporation (IDC)

After decades of being sequestered in a back room and treated as a service department for other parts of the business, information technology (IT) professionals now enable modern, critical business operations. In many organizations today, IT is becoming integral to and inextricably intertwined with the business. Accompanying this newfound attention comes increased expectations and increased responsibility to ensure that applications, application services, and data services are robust, feature-rich and secure.

As a result, the pressure on IT departments to perform well and deliver quickly is increasing, thanks to greater corporate reliance upon the applications, websites, and cloud services used to operate and promote the business. In many cases, the software directly powering today’s external-facing solutions is open source, and in the majority of scenarios, there is reliance, at least in part, upon open source software (OSS) technologies in the underlying software stack. 

OSS is available in a multitude of formats and support models. For many critical enterprise deployment scenarios, OSS technologies must have a reliable governance model and a large and healthy community surrounding the technology. In some cases, there is also a commercial support option. Of course, if the technology is available with ongoing maintenance and upgrades at no subscription cost for accessing that ecosystem, that is a real bonus. 

Such is the case for jQuery, which continues to evolve with new features and stronger security thanks to an engaged and attentive community organized by and supported by the OpenJS Foundation, a Linux Foundation organization. The OpenJS Foundation, working with its community, continues to deliver regular updates to the widely-used jQuery solution.

IDC conducted research on the use of jQuery in the U.S., Germany and the U.K., with a total of 509 survey respondents in those three countries representing small, medium and large businesses across 23 distinct industries. The survey participants were selected based on knowing their company’s use of internet-facing websites, but were not qualified based on knowledge of or confirmed use of jQuery. After that qualification, the study found that 89% of the respondents confirmed knowledge of the use of jQuery on their internet-facing websites. This data indicates that jQuery is heavily deployed throughout Internet-facing websites today.

This IDC study focused on gauging how current the customer base is, in terms of the versions of jQuery deployed to support internet-facing websites. The good news is that 44% of organizations that IDC contacted are using current versions of jQuery on at least some of their Internet-facing websites. But the less good news is that over half of the respondents are either slightly behind or significantly behind on the versions of jQuery in use on their websites, with those respondents citing the use of a version of jQuery that is no longer under maintenance by the OpenJS Foundation and its community. Unfortunately, many users are unaware of what versions of jQuery are under active support today.

There are, of course, risks associated with using any software that may no longer be under current maintenance, and this concern is not limited to open source software; the same would be true of using proprietary software that is no longer supported, patched, and updated.

But equally important is that some of the best features that a given technology offers are typically found in the most modern versions. These cutting-edge features often are used by digital innovators to create differentiation for their customer experience or the user experience associated with the products and services they deliver.

Further compounding the risks associated with using out-of-support versions of jQuery is that most organizations that completed this survey indicated that they are using jQuery for capturing and processing personally identifiable information (PII). Across the survey sample, including respondents using in-support and out-of-support versions of jQuery, 80% of the respondents are capturing one or more types of PII. For organizations using versions of jQuery that pre-date version v3.6.0, this data capture can represent a potential risk, as any mishandling of PII could potentially lead to regulatory compliance issues for the business.

The good news is that most organizations say they are either up to date or have the ability to get there. In fact, 3 out of 4 respondents fall into this camp. The other quarter of the respondents to this survey say they will need help or cannot update their jQuery instances. Even in the case of the 36% who say they can get current (roughly half of the 75% that say they are current or can get current), the urgency to make that upgrade – even with the capture of PII and the lack of ongoing support from the jQuery community – is not enough motivation to make such an upgrade a high priority.

The take-away from this study is simple: jQuery users have access to a robust, community-supported technology that is free from subscription costs for them to acquire or use, and this project is seeing continual investment and enhancement. Users are already enjoying considerable benefits from the technology, but if you are not using current versions, you owe it to your business to move forward to a supported version to maximize the benefit and minimize any potential risks. 

OpenSSF Project Alpha-Omega Invests in the OpenJS Foundation and jQuery to Help Secure the Consumer Web

By Announcement, Blog, jQuery, jQuery Security

By: Robin Ginn, Executive Director, OpenJS Foundation and Brian Behlendorf, General Manager, OpenSSF

Today, we’re excited to share that the Open Source Security Foundation (OpenSSF) Project Alpha-Omega is committing $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code.

This is the second funded project coming from the OpenSSF to the OpenJS Foundation, the neutral home for JavaScript and the web. Earlier this year OpenSSF selected Node.js as its initial project, committing $300,000 to focus on improving supply chain security. 

OpenJS, working with the jQuery maintainers and industry experts, will undertake three core initiatives under this grant: an ecosystem risk audit, an expansion of its infrastructure modernization project, and a web modernization campaign.

“There’s a lot of work to be done to help secure the consumer web,” said Michael Scovetta, Alpha-Omega co-lead and Principal Security PM Manager at Microsoft. “We believe partnering with the vendor-neutral OpenJS Foundation is a great way to communicate out broadly to developers and to work with technology partners to reduce potential security incidents for jQuery. This is a wide ranging effort that is by no means simple.” 

jQuery Core is still actively maintained, and the maintainers have taken steps to consolidate and modernize its infrastructure with support from the OpenJS Foundation including migrating and improving its CDN. jQuery is still used by 77% of the world’s top 10 million websites, but one-third of those sites are still using 15-year-old legacy jQuery 1.x when they should be using a much more current version.

As part of its modernization initiative, OpenJS Foundation has also helped jQuery with two projects under the jQuery umbrella through a careful transition: jQuery UI and jQuery Mobile. However, there is much work to be done to fully understand and mitigate potential risks.  

“The use of ubiquitous technologies like jQuery is invisible to most, however potential problems could affect millions of websites. And, there’s no one-size-fits-all solution. This is exactly the type of project that the OpenSSF is looking to support, and we are excited to be working on our second project with the OpenJS Foundation, helping to advance open source security for all,” said Michael Winser, Alpha-Omega co-lead and Group Product Manager for Software Supply Chain Security and CI/CD at Google. “We are pleased to be committing to this project with the OpenJS Foundation and jQuery.”

The OpenJS Foundation  and OpenSSF are looking forward to working closely together to help developers around the globe improve their open source security readiness!

If you’re interested in finding out how you can help, please contact the OpenJS Foundation via

jQuery maintainers update and transition jQuery UI as part of overall modernization efforts

By Blog, jQuery, Project Updates

Authors: Michał Gołębiowski-Owczarek, Felix Nagel, and the jQuery team

The jQuery project is actively maintained and widely implemented — it’s used by 73% of 10 million most popular websites. As part of its ongoing effort to modernize the project, jQuery maintainers have taken steps to wind down one of its projects under the jQuery umbrella through a careful transition. 

Today, jQuery UI announced version 1.13 — its first release in 5 years and the project’s final planned release. Perhaps the most important update is that jQuery UI 1.13 now runs on the latest version of jQuery Core, providing a number of browser compatibility and security updates that have been missing from previous releases, in addition to community fixes and improvements. The jQuery UI Download Builder has also been restored and updated so developers can continue to download UI along with their favorite themes. The release is part of an ongoing series of updates across all jQuery projects.

jQuery UI is in maintenance-only mode. Users should not expect any new releases, though patches may be issued to resolve critical security, interoperability, or regression bugs. Trac, the project’s bug-tracking tool, has been put in read-only mode and developers are asked to file any critical issues on the project’s GitHub repository

jQuery UI was first launched in September 2007 as a curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery library. It quickly gained popularity because it was one of the best tested and most accessible UI frameworks of its time. The tool helped developers build UI components such as form controls and date pickers using the best practices back then. In its heyday, jQuery UI was adopted by a broad set of enterprises including Pinterest, PayPal, IMDB, Huffington Post, and Netflix. 

Today, jQuery UI continues to be an important testbed for jQuery Core updates, helping the maintainer team spot bugs and interoperability issues that arise as the web platform evolves. 

Celebrating jQuery UI’s History

With the launch of jQuery in 2006, web developers were able to access and manipulate DOM and CSS faster and easier than ever before. Thousands of open source jQuery widgets and plugins were created to handle previously tricky problems, like showing and hiding elements, rotating through image carousels, or picking dates on a calendar. The jQuery ecosystem became a playground full of tools for making new and interesting interactions possible on the web. 

‘New and interesting’ doesn’t always translate to ‘good and useful’ — though there were many good plugins available, it was not always easy to tell which would be the most performant or provide the best user experience. Developers might have to go searching for the right tools or worse, spend significant time swapping through several plugins to figure out which one worked best. Further, there were few examples of best practices in user experience on the web, so visitors to one website could have vastly different (and thus confusing) interactions when they performed a similar task on another website. 

Members of the jQuery Core team wanted to help developers write performant, high-quality, and reusable jQuery components for their sites and applications. After some discussion, the idea for a second library with strict standards for coding, documentation, and theming was born. The project’s vision and goals included: developing a collaborative design process; providing flexible styling and themes; creating elegant visual and interaction design; providing a robust API; and prioritizing progressive enhancement, accessibility, internationalization and localization support.

In September 2007, jQuery UI officially launched as a set of user interface interactions, effects, widgets, and themes built on top of jQuery. Soon after, the team shifted their focus to provide a full set of APIs and methods to allow developers to create flexible, full-featured widgets that met high standards of quality. CSS effects such as easing and animation were added in and helped developers create more modern, enhanced experiences. The team at Filament Group later added a ThemeRoller, allowing developers to get started quickly by providing customizable theme boilerplate. ThemeRoller is still operational today.  

By the end of 2008, jQuery UI had an exploding community of users, developers, and interaction designers regularly providing updates and improvements to the project as best practices and style preferences evolved. Between 2009 and 2016, the community provided a variety of new official and unofficial themes and plugins, interoperability and other bug fixes, robust testing processes, and support for multiple versions of jQuery. 

jQuery UI’s prior official release came in September 2016, nearly a decade after it started. In that timeframe, the jQuery community had helped inspire dozens of other open source projects, pattern and component libraries. But newer CSS frameworks and approaches were taking hold, and slowly the community moved on to other projects. The UI team and jQuery Mobile teams merged, and the group focused more on maintenance and compatibility with jQuery Core.  

jQuery UI became an OpenJS Foundation Emeritus project in 2018, recognizing that it was winding down while noting the significance it had for the JavaScript ecosystem.

Celebrating jQuery UI Maintainers and Contributors

The scope of the project and the inclusiveness of the community was responsible for helping countless web makers develop a love and appreciation for user experience, localization, internationalization, accessibility, and clean, reusable code. Though many hours of work and contribution went into making jQuery UI a successful library, the jQuery UI core team deserves extra recognition for more than a decade of hard work shepherding the work and the community throughout the project’s lifecycle. Alex Schmitz, Jörn Zaefferer, Felix Nagel, Mike Sherov, Rafael Xavier de Souza, and Scott González led a team of many core contributors and more than 300 additional authors.

Additional gratitude is owed to Michał Gołębiowski-Owczarek for preparing the 1.13 release and stewarding the repository for the past year. 

OpenJS Foundation will forever be grateful for the work of these open source developers and the impact they had on the ecosystem through their work. Please join us in celebrating these developers and jQuery UI!

jQuery maintainers continue modernization initiative with deprecation of jQuery Mobile

By Blog, jQuery, Project Updates

Authors: Michał Gołębiowski-Owczarek, Felix Nagel, and the jQuery team

jQuery maintainers are continuing to modernize its overall project that still is one of the most widely deployed JavaScript libraries today. The team announced that the cross-platform jQuery Mobile project under its umbrella is fully deprecated as of October 7, 2021. New technologies for mobile app development have evolved since this project was launched in 2010, so we’re encouraging developers to plan for this jQuery Mobile transition.

Please note that:

  • The Download Builder will remain available.
  • Mobile 1.4 is not compatible with the new jQuery Core.
  • Issues will be turned off. Please report critical security bugs via email to

Celebrating jQuery Mobile’s History

jQuery Mobile was conceived and announced in 2010, three years after the launch of jQuery.  The project was exciting and ambitious. At announcement, jQuery Mobile promised compatibility across multiple platforms, browsers, and versions. Several mobile browser vendors, including Palm and Mozilla, signed on to sponsor the project: 

“The jQuery community has focused on making the Web as productive and fun as possible. When we heard the mission behind jQuery Mobile, we wanted to help. With webOS we have shown that the Web platform is fantastic for developers, so we are excited to help make jQuery Mobile as good as it can be.” -Dion Almaer – Palm

At the time, the mobile web was desperately in need of a framework capable of working across all browsers, allowing developers to build truly mobile web applications. jQuery had already changed the way developers were building on the web, making it easier (and faster) to create secure, compliant applications. 

With jQuery Mobile, the project’s goals were to bring the ease-of-use of jQuery to HTML-capable mobile device browsers and to make it easier for developers to build progressively enhanced web applications. Led by Todd Parker of Filament Group, a development studio known for their work on cross platform and accessibility-first applications, jQuery Mobile launched its alpha release in October 2010. 

Alpha features included several components, layouts and theming tools that simplified the process of building a mobile web application. Progressive enhancement and graceful degradation, which were hot (and tricky) topics in web development at the time, featured heavily: jQuery Mobile promised developers and users the best possible experience their platform could handle. Accessibility was another key feature, with Mobile promising a user experience that could be navigated by touch, keyboard, or screen reader via ARIA compatible components. Additional features such as simplicity, file size, and the ability to deploy jQuery Mobile applications through an app store drove further excitement. 

Over the next year, the jQuery Mobile team continued to add compatible platforms and browsers, new components and themes, and eventually a themeroller tool that allowed developers to configure and download themes without writing any CSS. 

The community response was overwhelming – by the time 1.0 was released in November 2011, jQuery Mobile had gathered over 125 contributors, dozens of articles, tutorials and demos, 8 published books, and a gallery of sites, plugins and extensions to welcome and introduce new developers to the project. 

jQuery Mobile continued to make monthly releases throughout 2012 and 2013, regularly adding and improving components, resolving compatibility issues with mobile browsers, and making performance improvements to speed up page rendering times. The development team also continued to prioritize and highlight the importance of responsive web design and accessibility principles with each new release. 

As the number of components and widgets swelled – both those that were officially supported or widely adopted in the community, performance and compatibility issues with mobile platforms, browsers, and jQuery core were also exacerbated. Though the project did have some automated tests, there were still a number of items that needed to be tested manually, which slowed down the development process. 

In mid 2013, Jasper de Groot became the project lead and announced tighter development collaboration between jQuery UI and jQuery Mobile teams, sharing goals, roadmaps and code in order to ease the workload for both groups. The team continued to provide maintenance releases and support, but progress continued to slow under the burden of testing and supporting such a large community. 

Alex Schmitz took over the lead in July 2014, but by that time the size of the project, combined with the pace and availability of new mobile browser features, made finding a viable path forward for the project increasingly difficult. 

The latest stable version was released October 2014. Alex and team made a big push to update jQuery Mobile again in 2017 with the release of an alpha version of 1.5; this version would see compatibility with jQuery 3.0 and npm support among other things.

jQuery Mobile became an OpenJS Foundation Emeritus project in 2018, signifying that the goals of the project had been achieved.

jQuery modernization initiative

The deprecation of jQuery mobile follows the careful transition of another project under the jQuery project umbrella, jQuery UI.

jQuery Core is still actively maintained and widely implemented. As part of its modernization initiative, the team also has been making a series of updates this year to its infrastructure, including migrating and improving its CDN.

Celebrating jQuery Mobile Maintainers and Contributors

The contributions to jQuery Mobile opened up opportunities for people and organizations around the world, and we are thankful for all the contributions over the years. We would like to give an extra shout out of gratitude to the past maintainers of jQuery Mobile: Alexander Schmitz, Jasper de Groot, and Todd Parker.

jQuery project: addressing temporary CDN issues

By Blog, jQuery, Project Update

As part of its ongoing infrastructure updates, the jQuery infrastructure team is making configuration and deployment changes to address intermittent outages reported by some users. The issue is the result of faulty IP allowlisting which affects users downloading jQuery project assets from certain IP addresses.  

jQuery Logo

This issue is expected to be resolved in the next few weeks. In the interim, users can mitigate the issue by downloading and serving the files they need. 

CDN migration is part of a package of infrastructure improvement projects the project has been undertaking this year. The infrastructure team plans to provide a full overview of these improvements, which will help support the long-term maintenance of jQuery and its related projects, later this summer.
jQuery continues to be a widely-used open source project with active maintainers. While many sites host jQuery locally, others rely upon the jQuery CDN to deliver the library on demand. On average, the jQuery CDN delivers over 2 petabytes of code per month. The project is hosted at the OpenJS Foundation, the vendor-neutral organization to grow and sustain the JavaScript and web ecosystem.

Project Update: jQuery 3.6.0 Released!

By Announcement, Blog, jQuery, Project Update

Congrats to the jQuery team on their most recent release, version 3.6.0! jQuery is an Impact Project at the OpenJS Foundation.

The new release includes bug fixes and other improvements including:

Thank you to all of you who participated in this release by submitting patches, reporting bugs, or testing, including Dallas FraserMichal Golebiowski-OwczarekWonseop KimWonhyoung ParkBeatriz RezenerNatalia Sroka, and the whole team.

To read more about the new version and to download, visit the project’s blog.