Is jQuery Safe?

Today I saw an interesting question posted on the jQuery support group asking if jQuery is virus & trojan free. I found it a bit of a strange question considering that:

  • The jQuery Project has been alive and growing for 3 years
  • The library itself is basically text

I have heard of occasions where Norton AV would throw false positive alerts on packer or minified versions of jQuery but that’s Norton’s fault for bad heuristics. So I wanted to address it here.

The jQuery downloads are basically text files that we manage. We have a tremendous number of users downloading and leveraging jQuery from our sites daily so the likelihood that we’d know something was up is VERY good. In addition, a ton of well-known companies are using jQuery and it’s a pretty good indication that everything is cool when you see who is using it:

http://docs.jquery.com/Sites_Using_jQuery

If you’re concerned about downloading it from our site or using the Google hosted version, we provide the code so that you can create your own copy of it. This gives you the best level of control over the build process:

http://docs.jquery.com/Downloading_jQuery#Subversion_.28SVN.29

Now, is it possible that someone is offering up a bad version of jQuery? Sure and that can be the case for Prototype, MooTools, Dojo or any other popular framework. We obviously can’t control what someone else does, only what *we* can provide via our site.

With that said, please only download jQuery from the official site or use the version hosted on Google’s CDN. Here are the official site links:

http://jquery.com/
http://code.google.com/p/jqueryjs/
http://jqueryui.com/ (for the jQuery UI library)
http://code.google.com/apis/ajaxlibs/

Downloading jQuery from any site other than the ones listed above is not recommended as we can’t ensure the validity of the code. And if you do find a version of jQuery that is doing some “evil”, please let us know so we can advise the jQuery community.

We want you to enjoy your experience with jQuery and provide the best option available for your usage.

Rey Bango

3 Comments

  1. The question makes sense and is a responsible one. Kudos for the question it should be part of considerations and knowing you and the other jQuery community leaders it seems like that is well in hand. IMO the only thing viral with jQuery is the popularity it receives as people use it more and more. The more it gets used the more viral promoters become. :)

  2. Avira identifies jquery-1.3.2-min.js (downloaded from google code) as a JS Trojan Downloader Agent. They’ve been informed to analyze it and update their virus definitions an hour ago.

    • Cool. It’s not the first time this has cropped up and it always turns out to be a false positive.

Comments are closed.