fix(deps): update dependency bootstrap to v5 [security] #34896
+20
−11
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.0.0
->5.0.0
GitHub Vulnerability Alerts
CVE-2018-14041
In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.
CVE-2019-8331
Versions of
bootstrap
prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). Thedata-template
attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.Recommendation
For
bootstrap
4.x upgrade to 4.3.1 or later.For
bootstrap
3.x upgrade to 3.4.1 or later.CVE-2018-14040
In Bootstrap starting in version 2.3.0 and prior to 3.4.0, as well as 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute.
CVE-2018-14042
In Bootstrap starting in version 2.3.0 and prior to versions 3.4.0 and 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.
CVE-2024-6531
A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.
Release Notes
twbs/bootstrap (bootstrap)
v5.0.0
Compare Source
Highlights
#32155: Updated
make-col()
mixin to generate equal columns when no size is specified#32763: Added new
color-scheme()
mixin#33389: Dropdown menus now have option become clickable
#33453: Added new docs footer
#33548: Offcanvas header components are now vertically aligned
#33549: Added offcanvas-top modifier
#33634: Added support for
.dropdown-item
s wrapped in<li>
s#33626: Fix v5 regressions in tab dropdown functionality
🚀 Features
color-scheme
mixin🎨 CSS
color-scheme
mixin.nav-link
color consistent when using buttons:read-only
css selector instead[readonly]
for consistencyborder-top
on Firefox☕️ JavaScript
hide
method of dropdownisDisabled
util on dropdownnoop
functionselectMenuItem
method private.dropdown-item
wrapped in<li>
tagsaltBoundary
option📖 Docs
rel=noopener
attributeboundary
optionboundary
optionboundary
option descriptionExamples
🌎 Accessibility
🏭 Tests
data-bs-backdrop="static"
from modal tests🧰 Misc
📦 Dependencies
v4.6.2
Compare Source
Highlights
color-adjust
withprint-color-adjust
in our Sass files as part of the Autoprefixer v10.4.6 issues. This should quiet the issues folks have seen from that dependency change. If you're using our distribution CSS files, likebootstrap.min.css
, you may still see the warning.small
and.small
to compute to a whole pixel value (was12.8px
and now is14px
).role
attributes.What's Changed
color-adjust
withprint-color-adjust
by @AdrianCurtin in https://github.com/twbs/bootstrap/pull/36283role="group"
from some split drop* buttons by @julien-deramond in https://github.com/twbs/bootstrap/pull/36254accessibility.md
by @patrickhlauke in https://github.com/twbs/bootstrap/pull/36492New Contributors
Full Changelog: twbs/bootstrap@v4.6.1...v4.6.2
v4.6.1
: 4.6.1Compare Source
What's changed
divide()
function by @mdo in https://github.com/twbs/bootstrap/pull/34571moz-focusring
by @kremit in https://github.com/twbs/bootstrap/pull/32821SAFE_URL_PATTERN
regex for use with test method of regexes by @nikonthethird in https://github.com/twbs/bootstrap/pull/33153sms
in theSAFE_URL_PATTERN
for sanitizer by @XhmikosR in https://github.com/twbs/bootstrap/pull/35074select.form-control
by @mdo in https://github.com/twbs/bootstrap/pull/33206add()
&subtract()
by @ffoodd in https://github.com/twbs/bootstrap/pull/34047add()
andsubtract()
by @ffoodd in https://github.com/twbs/bootstrap/pull/34432aria-haspopup
from dropdowns by @patrickhlauke in https://github.com/twbs/bootstrap/pull/33624.dropdown-item
wrapped in<li>
tags by @cpsievert in https://github.com/twbs/bootstrap/pull/33649vertical-align
in spinners by @XhmikosR in https://github.com/twbs/bootstrap/pull/338070.x
with negative margins in utilities by @k-utsumi in https://github.com/twbs/bootstrap/pull/33593thead
rule by @coliff in https://github.com/twbs/bootstrap/pull/34426show
event disabling modals with fade class from being displayed again by @alpadev in https://github.com/twbs/bootstrap/pull/34087Full changelog
twbs/bootstrap@v4.6.0...v4.6.1
v4.6.0
Compare Source
Highlights
customClass
option..navbar-nav-scroll
class for scrolling expanded navbar contents on mobile devices.prefers-reduced-motion
is enabled.background-color
of.dropdown-item
for improved hover state contrast, and ligthened the disabled.dropdown-item
color
.CSS
.navbar-nav-scroll
for vertical scrolling of navbar contentoutline:0
rather thanoutline:none
; backport of #32751$gray-500
JS
customClass
optionjs/src/index.js
one folder upconfig.keyboard
is falseDocs
bugreport.apple.com
since it doesn't work.visually-hidden
loading=lazy
from snippets.text-left
in Layout / Overview:focus
, not just:hover
data-touch="false"
example in the carousel docsrole="button"
from CTA links in carousel example.show
applied.has-validation
for input groups with validation$enable-shadows
option in our docs; backport of #32685Examples
title
Misc
version_short
variable under theconfig
object; backport of #32737v4.5.3
Compare Source
CSS
escape-svg
function to note that data URIs must be quoted.custom-control
shadow variable instead of the genericinput-focus-box-shadow
.th
styling in Reboot, custom form field styling when printing, and improvements to.text-break
).th
updates: Inheritfont-weight: bold
that comes from user agent stylesheets..text-break
changes to dropoverflow-wrap
and useword-wrap
once again.close
buttons in dismissible.alert
s.JS
hidePrevented.bs.modal
can be prevented.$dropdown-padding-x
variable from v5.Docs
dispose
method more appropriately.to
andnextwhenvisible
methods.Misc
v4.5.2
Compare Source
This release addresses the following two issues:
make-container-max-widths
mixin. We won't be using the mixin ourselves, but it will remain in the codebase for the rest of v4 with today's release. We've added a deprecation notice as well.flex: 1 0 100%
from.row
s. This was added to address shrinking rows inside the navbar component after our responsive containers were added in v4.4.0. Removing this rolls us back to the expected grid and flex behavior—your row will shrink unfortunately without further changes. We could add extra custom CSS to address this, but it seems shortsighted to rush into that. Instead, apply.flex-fill
to the.row
and your row will behave as usual.v4.5.1
Compare Source
CSS
list-group
borders in cardsz-index
to.custom-check
to fix their rendering in CSS columnsborder-radius
to.card-img-overlay
word-break: break-word;
on.text-break
utility..row
from shrinking in flex containersbox-shadow
min-width: 0
on.col
due to unforeseen side effectsbackdrop-filter
from docs subnav and toastsoverflow: hidden
from toastsJavaScript
role="dialog"
in modals via JavaScriptBuild
Docs
extend/icons.md
page.nav-item
from.nav-link
to be more consistentv4.5.0
Compare Source
Highlights
user-select
with the new utilities and Sass map.role="button"
selector in Reboot to setcursor: pointer
on non-<button>
element buttons.bg-gradient-variant
mixin as it's being removed in v5.CSS
display: flex
on.breadcrumb-item
.btn
cursor.btn-link
pre
is present by settingmin-width: 0
word-wrap
in.text-break
for IE and Edge compatibilityborder-radius
functions returning negative values$enable-transition: false
transition: none in
transition()` mixinspinner-grow
animation in Safari.card-footer
colorbox-shadow
mixin for.form-select
,.btn
, and other form controlsuser-select
and a new -role="button"
in Reboot to setcursor: pointer
.appearance: none
frombutton.close
bg-gradient-variant
mixin$grid-columns > 0
$grid-breakpoints
map list to remove all breakpointsJavaScript
keyboard=true
&backdrop=static
srcset
in the allowed attributestotype
always return stringified null when null passedDocs
loading="lazy"
for imagesmake-container()
mixindata-target
usage and morerole="document"
from the modal dialogExamples
Dependencies
v4.4.1
Compare Source
v4.4.0
Compare Source
Highlights
Here's what you need to know about v4.4.0. Remember that with every minor and major release of Bootstrap, we ship a new URL for our hosted docs to ensure URLs continue to work.- New responsive containers! Over a year in the making, fluid up to a particular breakpoint, available for all responsive tiers.
.row-cols
classes for quickly specifying the number of columns across breakpoints. This one is huge for those of you who have asked for responsive card decks.escape-svg()
function for simplifying our embeddedbackground-image
SVGs for forms and more.add()
andsubtract()
functions for avoiding errors and zero values from CSS's built incalc
feature.make-col-auto()
mixin to make our.col-auto
class available with custom HTML.:disabled
styles by moving selectors to[disabled]
.bg-variant()
,nav-divider()
, andform-control-focus()
mixins are now deprecated as they're going away in v5.:invalid
validation icon to be an alert instead of an×
to avoid confusion with browser functionality for clearing the form field value.Links
v4.3.1
Compare Source
v4.3.0
Compare Source
Highlights
.stretched-link
utility to make any anchor the size of it's nearestposition: relative
parent, perfect for entirely clickable cards!.text-break
utility for applyingword-break: break-word
.rounded-sm
and.rounded-lg
for small and largeborder-radius
..modal-dialog-scrollable
modifier class for scrolling content within a modal..list-group-horizontal
modifier classes for displaying list groups as a horizontal row.Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.