bootstrap.min.js 3.4 at EOL and vulnerabilities

[fred-hartman]

We are running Superset 4.0.1, but I have looked at superset-frontend/package-lock.json and change logs for 4.0.2 and 4.1.0rc1 and the releases are still pinned at "bootstrap": "^3.4.1",

There are multiple vulnerabilities in the v3.4.1 release of bootstrap and it is also flagged as a dead branch, meaning we are getting pushback on Superset remaining in use unless there is a detailed understanding and mitigations of each vulnerability.
https://security.snyk.io/package/npm/bootstrap

Another path forward is buying https://www.herodevs.com/support/nes-bootstrap, which would require us to patch each Superset release and replace pieces which would introduce significant additional QA on every release, which is not viable.

I don't see any ticket or discussion about upgrading bootstrap to a release that gets security fixes or a review of the CVEs that would justify a risk acceptance or other mitigation options.

Did I miss it?

[fred-hartman]

I found merge 29844 into master that removes bootstrap altogether, but only removed two of the three references in the superset-frontend/package-lock.json. Is it planned to be fully removed?

[dosubot[bot]]

Hey @fred-hartman, I'm here to help you with any bugs or questions you have in the repository. Let me know how I can assist you!

There is no documented discussion or issue in the repository that addresses the security vulnerabilities associated with Bootstrap 3.4.1 ^[1]. Additionally, there is no detailed mitigation plan or risk assessment documented for these vulnerabilities ^[1].

However, there is an ongoing effort to replace Bootstrap with alternative libraries. The Superset codebase is considering or already using antd (version 4.10.3) and antd-v5 (npm:antd@^5.18.0) as replacements ^[1].

Regarding the merge 29844, it appears to be part of the effort to remove Bootstrap altogether. However, it seems that not all references to Bootstrap have been removed yet. It would be best to follow the progress of this merge and any related merges to see if the remaining references will be addressed.

This is a tough nut to crack, could really use your help on this, @rusackas.

To continue talking to Dosu, mention @dosu.

[rusackas]

@fred-hartman Yes, I would love to kill Bootstrap entirely, but there are a lot of things in the way:

• I believe there's a react-bootstrap-slider component (or something like that) and possibly others that bring in bootstrap as sub-dependency
• We're still not done moving ALL pages from FAB-generated views to the React Single Page App (SPA). We've migrated all the major ones, but there are still a few small ones (profile page, user list, actions log, probably a few others) that have not made the jump yet. Bootstrap is used by FAB, so those pages will require Bootstrap until they're phased out. That migration is not currently prioritized yet by anyone I'm aware of, so contributions are welcome.

I did indeed add a package.json override to bump it to 3.4.1, which fixed several vulnerabilities with even older 2.x variants in the mix. There is no Issue or discussion around it simply because nobody has brought it up. Non-Committers can't see the Dependabot reports, but I see two "medium" CVEs pertaining to Bootstrap that apply to both the latest 3.x (which we're now on) and the latest 4.x (which we can bump to, but it doesn't help much, I suppose). I can try bumping to 5.x, but that's a big leap and I'll bet something breaks unexpectedly.

If you want to give it a go at bumping to bootstrap 5, or any effort toward removing it, PRs would be warmly welcomed.