jQuery End of Life —
What's Actually EOL (and What Isn't)
Let's clear up the most-searched question first: jQuery is not end-of-life. jQuery core is still actively maintained — the 3.x line receives security releases and the 4.x line is the modern successor. By the EOL Risk Score™, jQuery sits at just 20 (Low), because the project is alive and there is no scheduled end-of-life date.
But that headline hides the real problem. The parts of the jQuery ecosystem most sites actually depend on are end-of-life: jQuery 1.x and 2.x have received no releases since 2016, jQuery UI reached EOL on August 5, 2024, and jQuery Mobile was archived years ago. And here is the catch that the Low EOL score doesn't capture — old jQuery versions carry known, patchable XSS vulnerabilities. This page untangles what's maintained, what's dead, and what to actually do about it.
jQuery Core Versions — What's Maintained
Every jQuery core line scores Low on the EOL Risk Score™ — the project maintains backward compatibility and has no formal EOL schedule. But "no EOL date" is not the same as "still getting updates." Here is the maintenance reality behind the score:
| Version | Maintenance reality | Status | EOL Risk Score™ |
|---|---|---|---|
| jQuery 1.x | No releases since 1.12.4 (May 2016) | Unmaintained | 20 |
| jQuery 2.x | No releases since 2.2.4 (May 2016) | Unmaintained | 20 |
| jQuery 3.x | Maintained · latest 3.7.1 · security releases | Maintained | 20 |
| jQuery 4.x | Newest line · drops legacy IE support | Current | 20 |
The Real Risk: Old Versions, Known CVEs
Here is the part that the Low EOL score does not — and is not designed to — capture. The EOL Risk Score™ measures lifecycle status. It does not track version-specific vulnerabilities. And jQuery has several well-known ones that were fixed in specific releases:
CVE-2020-11022 and CVE-2020-11023 — cross-site scripting (XSS) flaws in jQuery's HTML manipulation, fixed in jQuery 3.5.0 (April 2020). Any jQuery older than 3.5.0 — which includes all of 1.x and 2.x and the early 3.x releases — is vulnerable. CVE-2019-11358 — prototype pollution via jQuery.extend, fixed in jQuery 3.4.0.
This divergence — a maintained project with low EOL risk, but dangerous old versions in the wild — is the same blind spot we cover in the CVE blind spot: lifecycle status and CVE exposure are two different axes, and you have to check both.
jQuery UI & jQuery Mobile — The EOL Pieces
Unlike jQuery core, jQuery UI is genuinely end-of-life — endoflife.ai dates it to August 5, 2024, and it carries an EOL Risk Score™ of 55 (Elevated). The widget library (datepickers, dialogs, autocomplete, sortable, etc.) is no longer developed and receives no fixes. If your app leans on jQuery UI, that is a real, scored end-of-life dependency sitting inside an otherwise-maintained jQuery stack — and it's the piece to plan off first.
jQuery Mobile went further still: the project was archived and deprecated years ago and should not be used in anything new or maintained. There is no supported version.
Replacements: for jQuery UI widgets, modern component libraries (or native HTML elements like <dialog> and <input type="date">) cover most use cases. For jQuery Mobile, a current responsive framework is the path forward.
How to Fix It — jQuery Migrate & Upgrade
The good news: getting current with jQuery is one of the easier framework migrations, because backward compatibility is a core jQuery value and the team ships a dedicated tool to ease it.
-
01Find out which jQuery version you actually ship Check your bundle, not your intentions — old versions hide in vendored files, CMS themes, and third-party widgets. In the console,
jQuery.fn.jqueryprints the loaded version. Anything below 3.5.0 is a priority. -
02Add jQuery Migrate The official jQuery Migrate plugin restores removed/deprecated APIs and logs every deprecation your code hits — turning a scary upgrade into a checklist generated from your real usage. Use it as a temporary bridge, not a permanent dependency.
-
03Upgrade to current jQuery 3.x (3.7.1) For most sites, moving from 1.x/2.x to the latest 3.x is the right step — it closes the known XSS CVEs and is the most compatible target. Work through the Migrate warnings, replace deprecated calls, and test.
-
04Replace jQuery UI and jQuery Mobile These won't be fixed by a core upgrade — they're separately end-of-life. Swap jQuery UI widgets for maintained components or native HTML controls, and migrate off jQuery Mobile entirely. Tackle these as their own work items.
-
05Consider whether you still need jQuery at all Much of what jQuery was indispensable for — selectors, fetch, DOM manipulation — is now native (
querySelectorAll,fetch,classList). For new code, you may not need it; for existing code, staying on a current, patched jQuery is perfectly fine. The goal is "patched," not necessarily "removed."
Extended Support for Stranded Apps
Some legacy applications are pinned to jQuery 1.x or 2.x by old plugins, ancient browser requirements, or a sprawling codebase that makes even the gentle jQuery upgrade a real project. While that work is scheduled, those apps are serving known XSS to every visitor.
Extended support and security-patched builds exist for exactly this situation — keeping a stranded jQuery (or jQuery UI) deployment patched against newly disclosed issues while you plan the move to a current version. It's a bridge to buy safe time, not a substitute for getting to jQuery 3.7.1 or 4.x. Compare the options on our extended-support partners page.
Find out which jQuery version your site actually serves
jQuery is one dependency among many. Scan your whole front-end for EOL and vulnerable versions — free, no signup required.
Scan your stack Check a version The CVE blind spot