ASP.NET WebForms still loads old jQuery from ScriptResource.axd after upgrading to jQuery 3.7.1

Hi @Akshita Dangi ,

Thanks for posting in Microsoft Q&A Forum. I will try to address your question one by one

1. Why does ScriptResource.axd still get requested after ScriptResourceMapping?

ScriptResource.axd serves multiple embedded scripts, not just jQuery. Your ScriptResourceMapping only overrides scripts explicitly mapped. Third-party controls (Ajax Control Toolkit, Telerik, etc.) and other ASP.NET framework scripts still use ScriptResource.axd independently of your mapping.

Important: Scripts in WebForms are bundled, minified, and served through ScriptResource.axd—they're not loaded directly as separate files.

2. Does ScriptResource.axd mean old jQuery is still executing?

Not necessarily. ScriptResource.axd serves various ASP.NET framework scripts (MicrosoftAjax.js, validators, etc.), not just jQuery. The presence of ScriptResource.axd doesn't automatically mean old jQuery is running—you need to check what's actually executed in the browser.

3. Can you completely remove the framework-embedded jQuery?

No, not fully. WebForms itself doesn't include jQuery—it predates jQuery. The jQuery comes from Ajax Control Toolkit or other third-party controls. If you're using Ajax Control Toolkit:

• Check your ACT version - Microsoft abandoned it before abandoning WebForms. DevExpress maintained it until 2020, then also abandoned it.
• Upgrade ACT first - Try upgrading to the 2020 version before upgrading jQuery, as older versions may not be compatible with newer jQuery.
• Consider compatibility - Older ACT versions may not work with jQuery 3.7.1.

For ASP.NET 4.5+: Use the AspNet.ScriptManager.jQuery NuGet package (version 3.7.1) which properly integrates jQuery 3.7.1 with ScriptManager.

4. Is old jQuery in ScriptResource.axd a security risk if jQuery 3.7.1 is active?

If the old jQuery is loaded but not executed, the risk is minimal. The vulnerability exists only if the old version actually runs in the browser. If your page uses jQuery 3.7.1 at runtime, you're protected.

However: If your security team flagged this, they may be questioning why you're still using WebForms, which is legacy technology that Microsoft has abandoned.

5. How to demonstrate the application uses the updated jQuery?

In Browser Console:

console.log(jQuery.fn.jquery);  // Shows active jQuery version

In Network Tab:

• Inspect all loaded scripts
• Verify your jQuery 3.7.1 loads and executes
• Check the response content of ScriptResource.axd to see what it actually contains

For Security Audit:

Document that the runtime version is 3.7.1 with console screenshots, and explain that ScriptResource.axd bundles framework scripts but doesn't mean old jQuery executes.

Hope this helps. If you need any help, let me know.

I suggest you consider use of the script mapping to the ScriptManager. A use of ScriptResource.axd can be avoided.

Starting with ASP.NET 4.5, for server controls that use client scripts to function correctly, it is recommended to register the necessary client scripts with ScriptManager and deploy ScriptManager on all pages.

When you create the ASP.NET Web Forms app in the Web Application Project format using the template of Visual Studio, the script files for Microsoft Ajax and WebForms are stored in the application's Scripts folder and downloaded from there via ScriptManager. (Previously, they were downloaded from the server control's resources using handlers called WebResource.axd and ScriptResource.axd.)

Furthermore, in addition to Microsoft Ajax and WebForms scripts, scripts such as jQuery and Bootstrap can be integrated with ScriptManager.

For more details, please see the MSDN Blog article ASP.NET 4.5 ScriptManager Improvements in WebForms.

Below is the BundleConfig.cs and ScriptManager of the project created when the template of ASP.NET Web Forms project in the Visual Studio 2026 is used:

BundleConfig.cs in App_Start folder

Note that jQuery is upgraded to v3.7.1 (default is v3.7.0).

using System.Web.Optimization;
using System.Web.UI;

namespace WebForms1
{
    public class BundleConfig
    {
        public static void RegisterBundles(BundleCollection bundles)
        {
            RegisterJQueryScriptManager();

            bundles.Add(new ScriptBundle("~/bundles/WebFormsJs").Include(
                            "~/Scripts/WebForms/WebForms.js",
                            "~/Scripts/WebForms/WebUIValidation.js",
                            "~/Scripts/WebForms/MenuStandards.js",
                            "~/Scripts/WebForms/Focus.js",
                            "~/Scripts/WebForms/GridView.js",
                            "~/Scripts/WebForms/DetailsView.js",
                            "~/Scripts/WebForms/TreeView.js",
                            "~/Scripts/WebForms/WebParts.js"));

            bundles.Add(new ScriptBundle("~/bundles/MsAjaxJs").Include(
                    "~/Scripts/WebForms/MsAjax/MicrosoftAjax.js",
                    "~/Scripts/WebForms/MsAjax/MicrosoftAjaxApplicationServices.js",
                    "~/Scripts/WebForms/MsAjax/MicrosoftAjaxTimer.js",
                    "~/Scripts/WebForms/MsAjax/MicrosoftAjaxWebForms.js"));

            bundles.Add(new ScriptBundle("~/bundles/modernizr").Include(
                            "~/Scripts/modernizr-*"));
        }

        public static void RegisterJQueryScriptManager()
        {
            ScriptManager.ScriptResourceMapping.AddDefinition("jquery",
                new ScriptResourceDefinition
                {
                    Path = "~/scripts/jquery-3.7.1.min.js",
                    DebugPath = "~/scripts/jquery-3.7.1.js",
                    CdnPath = "https://ajax.aspnetcdn.com/ajax/jQuery/jquery-3.7.1.min.js",
                    CdnDebugPath = "https://ajax.aspnetcdn.com/ajax/jQuery/jquery-3.7.1.js"
                });
        }
    }
}

ScriptManager in Site.Master

<asp:ScriptManager runat="server">
    <Scripts>
        <%--To learn more about bundling scripts in ScriptManager see https://go.microsoft.com/fwlink/?LinkID=301884 --%>
        <%--Framework Scripts--%>
        <asp:ScriptReference Name="MsAjaxBundle" />
        <asp:ScriptReference Name="jquery" />
        <asp:ScriptReference Name="WebForms.js" Assembly="System.Web" Path="~/Scripts/WebForms/WebForms.js" />
        <asp:ScriptReference Name="WebUIValidation.js" Assembly="System.Web" Path="~/Scripts/WebForms/WebUIValidation.js" />
        <asp:ScriptReference Name="MenuStandards.js" Assembly="System.Web" Path="~/Scripts/WebForms/MenuStandards.js" />
        <asp:ScriptReference Name="GridView.js" Assembly="System.Web" Path="~/Scripts/WebForms/GridView.js" />
        <asp:ScriptReference Name="DetailsView.js" Assembly="System.Web" Path="~/Scripts/WebForms/DetailsView.js" />
        <asp:ScriptReference Name="TreeView.js" Assembly="System.Web" Path="~/Scripts/WebForms/TreeView.js" />
        <asp:ScriptReference Name="WebParts.js" Assembly="System.Web" Path="~/Scripts/WebForms/WebParts.js" />
        <asp:ScriptReference Name="Focus.js" Assembly="System.Web" Path="~/Scripts/WebForms/Focus.js" />
        <asp:ScriptReference Name="WebFormsBundle" />
        <%--Site Scripts--%>
    </Scripts>
</asp:ScriptManager>

The resultant html source:

<script src="/bundles/MsAjaxJs?v=D6VN0fHlwFSIWjbVzi6mZyE9Ls-4LNrSSYVGRU46XF81" type="text/javascript"></script>
<script type="text/javascript">
//<![CDATA[
if (typeof(Sys) === 'undefined') throw new Error('ASP.NET Ajax crient framework not loaded');
//]]>
</script>

<script src="scripts/jquery-3.7.1.js" type="text/javascript"></script>
<script src="/bundles/WebFormsJs?v=N8tymL9KraMLGAMFuPycfH3pXe6uUlRXdhtYv8A_jUU1" type="text/javascript"></script>

The presence of ScriptResource.axd in your application indicates that it is still being used to serve scripts, which may include older versions of jQuery. Here are the answers to your questions:

1. Why does ScriptResource.axd still get requested even after overriding jQuery using ScriptResourceMapping?
   The ScriptResource.axd handler is part of the ASP.NET framework that serves embedded scripts. If there are any ASP.NET controls or components in your application that depend on the older jQuery version, they may still reference it, causing the request to ScriptResource.axd to occur.
2. Does the presence of ScriptResource.axd mean that the old jQuery version is still being executed, or is it only serving other ASP.NET WebForms scripts?
   The ScriptResource.axd may serve other ASP.NET scripts and not necessarily the old jQuery version if your application is configured to use the updated version. However, if any components are still referencing the old version, it could still be executed.
3. Is it possible (or supported) to completely remove or disable the framework-embedded jQuery from ScriptResource.axd in an ASP.NET WebForms application?
   While you can override the jQuery version using ScriptResourceMapping, completely removing the framework-embedded jQuery from ScriptResource.axd is not typically supported. You should ensure that all components in your application are updated to use the new version to avoid any references to the old version.
4. From a security perspective, does the presence of an older jQuery inside ScriptResource.axd pose a vulnerability if the active runtime version is jQuery 3.7.1?
   If your application is actively using jQuery 3.7.1 and not referencing the older version, it should not pose a security risk. However, if any part of your application inadvertently uses the older version, it could expose vulnerabilities present in that version.
5. What is the recommended and supported way to demonstrate that the application is actually using the updated jQuery version and that the ScriptResource.axd request is not a security risk?
   You can use browser developer tools to inspect the loaded scripts and confirm that jQuery 3.7.1 is being executed. Additionally, ensure that all components and scripts in your application are updated to reference the new version, and conduct security assessments to verify that no vulnerabilities are present in the active scripts.

By following these steps, you can ensure that your application is secure and using the correct version of jQuery.