diff --git a/jquery-1.12.4.tar.gz b/jquery-1.12.4.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..5f2c88c328ff16d3d716134521501d7bc945a075
Binary files /dev/null and b/jquery-1.12.4.tar.gz differ
diff --git a/js-jquery1-disable-gzip-js.patch b/js-jquery1-disable-gzip-js.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9bf8ecdf24c6292e9edbebe01c834b4364eb4389
--- /dev/null
+++ b/js-jquery1-disable-gzip-js.patch
@@ -0,0 +1,11 @@
+diff --git a/Gruntfile.js b/Gruntfile.js
+--- a/Gruntfile.js
++++ b/Gruntfile.js
+@@ -13,7 +13,6 @@ module.exports = function( grunt ) {
+ 
+ 	var fs = require( "fs" ),
+ 		stripJSONComments = require( "strip-json-comments" ),
+-		gzip = require( "gzip-js" ),
+ 		srcHintOptions = readOptionalJSON( "src/.jshintrc" ),
+ 		newNode = !/^v0/.test( process.version ),
+ 
diff --git a/js-jquery1.spec b/js-jquery1.spec
new file mode 100644
index 0000000000000000000000000000000000000000..bb9ca59f143f53933c5700c9916f4a2896bd4740
--- /dev/null
+++ b/js-jquery1.spec
@@ -0,0 +1,60 @@
+Name:           js-jquery1
+Version:        1.12.4
+Release:        7
+Summary:        JavaScript DOM manipulation, event handling, and AJAX library
+License:        MIT
+URL:            https://jquery.com/
+Source0:        https://github.com/jquery/jquery/archive/%{version}/jquery-%{version}.tar.gz
+
+# disable gzip-js during build
+Patch1:         js-jquery1-disable-gzip-js.patch
+# backport of XSS bug fix from upstream
+Patch2:         xss-fix-b078a62.patch
+
+BuildArch:      noarch
+
+BuildRequires:  web-assets-devel nodejs-packaging js-sizzle-static nodejs-grunt >= 0.4.4-3
+BuildRequires:  npm(shelljs) npm(grunt-cli) npm(grunt-contrib-uglify) npm(load-grunt-tasks)
+BuildRequires:  npm(requirejs) nodejs-strip-json-comments
+
+Requires:       web-assets-filesystem
+
+Provides:       jquery = %{version}-%{release}
+Provides:       js-jquery1-static = %{version}-%{release}
+
+%description
+jQuery is a fast, small, and feature-rich JavaScript library. It makes things
+like HTML document traversal and manipulation, event handling, animation, and
+Ajax much simpler with an easy-to-use API that works across a multitude of
+browsers. With a combination of versatility and extensibility, jQuery has
+changed the way that millions of people write JavaScript.
+
+%prep
+%autosetup -p1 -n jquery-1.12.4
+
+rm -rf dist/* src/sizzle
+
+install -Dp %{_jsdir}/sizzle/latest/sizzle.js src/sizzle/dist/sizzle.js
+
+%build
+%nodejs_symlink_deps --build
+grunt -v 'build:*:*' uglify
+
+%install
+install -d %{buildroot}%{_jsdir}/jquery/%{version}
+cp -p dist/* %{buildroot}%{_jsdir}/jquery/%{version}
+
+install -d %{buildroot}%{_webassetdir}
+ln -s ../javascript/jquery %{buildroot}%{_webassetdir}/jquery
+
+ln -s %{version} %{buildroot}%{_jsdir}/jquery/1
+ln -s %{version} %{buildroot}%{_jsdir}/jquery/1.12
+
+%files
+%{_jsdir}/jquery
+%{_webassetdir}/jquery
+%doc AUTHORS.txt CONTRIBUTING.md LICENSE.txt README.md
+
+%changelog
+* Wed Mar 11 2020 dingyiming <dingyiming3@huawei.com> - 1.12.4-7
+- initial package
diff --git a/xss-fix-b078a62.patch b/xss-fix-b078a62.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8f730c1665114abe819d6cebaf4d1a0bdd8b7cb2
--- /dev/null
+++ b/xss-fix-b078a62.patch
@@ -0,0 +1,91 @@
+From b078a62013782c7424a4a61a240c23c4c0b42614 Mon Sep 17 00:00:00 2001
+From: Oleg Gaidarenko <markelog@gmail.com>
+Date: Thu, 10 Sep 2015 13:40:00 +0300
+Subject: [PATCH] Ajax: Mitigate possible XSS vulnerability
+
+Proposed by @jaubourg
+
+Fixes gh-2432
+Closes gh-2588
+---
+ src/ajax/script.js |  7 +++++++
+ test/unit/ajax.js  | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 55 insertions(+), 0 deletion(-)
+
+diff --git a/src/ajax/script.js b/src/ajax/script.js
+index 60b1fb6..0ec27b4 100644
+--- a/src/ajax/script.js
++++ b/src/ajax/script.js
+@@ -4,6 +4,13 @@ define( [
+ 	"../ajax"
+ ], function( jQuery, document ) {
+ 
++// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
++jQuery.ajaxPrefilter( function( s ) {
++    if ( s.crossDomain ) {
++        s.contents.script = false;
++    }
++} );
++
+ // Install script dataType
+ jQuery.ajaxSetup( {
+ 	accepts: {
+diff --git a/test/unit/ajax.js b/test/unit/ajax.js
+index 14fe0be..6479587 100644
+--- a/test/unit/ajax.js
++++ b/test/unit/ajax.js
+@@ -71,6 +71,54 @@ QUnit.module( "ajax", {
+ 		};
+ 	} );
+ 
++	ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
++		return {
++			create: function( options ) {
++				options.crossDomain = true;
++				return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
++			},
++			success: function() {
++				assert.ok( true, "success" );
++			},
++			complete: function() {
++				assert.ok( true, "complete" );
++			}
++		};
++	} );
++
++	ajaxTest( "jQuery.ajax() - execute js for crossOrigin when dataType option is provided", 3,
++		function( assert ) {
++			return {
++				create: function( options ) {
++					options.crossDomain = true;
++					options.dataType = "script";
++					return jQuery.ajax( url( "data/script.php?header=ecma" ), options );
++				},
++				success: function() {
++					assert.ok( true, "success" );
++				},
++				complete: function() {
++					assert.ok( true, "complete" );
++				}
++			};
++		}
++	);
++
++	ajaxTest( "jQuery.ajax() - do not execute js (crossOrigin)", 2, function( assert ) {
++		return {
++			create: function( options ) {
++				options.crossDomain = true;
++				return jQuery.ajax( url( "data/script.php" ), options );
++			},
++			success: function() {
++				assert.ok( true, "success" );
++			},
++			complete: function() {
++				assert.ok( true, "complete" );
++			}
++		};
++	} );
++
+ 	ajaxTest( "jQuery.ajax() - success callbacks (late binding)", 8, function( assert ) {
+ 		return {
+ 			setup: addGlobalEvents( "ajaxStart ajaxStop ajaxSend ajaxComplete ajaxSuccess", assert ),