Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency bootstrap to v5 [SECURITY] #394

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 6, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
bootstrap (source) 4.3.1 -> 5.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-6531

A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.


Release Notes

twbs/bootstrap (bootstrap)

v5.0.0

Compare Source

Highlights

#​32155: Updated make-col() mixin to generate equal columns when no size is specified
#​32763: Added new color-scheme() mixin
#​33389: Dropdown menus now have option become clickable
#​33453: Added new docs footer
#​33548: Offcanvas header components are now vertically aligned
#​33549: Added offcanvas-top modifier
#​33634: Added support for .dropdown-items wrapped in <li>s
#​33626: Fix v5 regressions in tab dropdown functionality

🚀 Features

  • #​32763: Add color-scheme mixin
  • #​33389: Dropdown — Add option to make the dropdown menu clickable
  • #​33549: Add offcanvas-top modifier

🎨 CSS

  • #​32155: Add equal column mixin
  • #​32763: Add color-scheme mixin
  • #​33292: Make accordion icon rotation more natural
  • #​33411: Fix validation feedback icon in select multiple
  • #​33478: Make .nav-link color consistent when using buttons
  • #​33482: Dropdown — Apply positioning only when Popper is not used
  • #​33548: Vertically align offcanvas header components
  • #​33549: Add offcanvas-top modifier
  • #​33550: Spinner alignment changes
  • #​33598: Hide validation icons from multiple selects
  • #​33600: Have $form-check-input-border's default derive from $black
  • #​33607: Reduce color-scheme complexity
  • #​33642: use :read-only css selector instead [readonly] for consistency
  • #​33658: fix: use list-group variable instead of alert
  • #​33736: accordion: fix border-top on Firefox

☕️ JavaScript

  • #​32439: Decouple BackDrop from modal
  • #​33245: Decouple Modal's scrollbar functionality
  • #​33249: Simplify Modal Config
  • #​33250: Simplify ScrollSpy config
  • #​33310: fix: make EventHandler better handle mouseenter/mouseleave events
  • #​33389: Dropdown — Add option to make the dropdown menu clickable
  • #​33429: Remove element event listeners through base component
  • #​33451: Add missing things in hide method of dropdown
  • #​33456: Use our isDisabled util on dropdown
  • #​33466: Refactor dropdown's hide functionality
  • #​33479: Fix dropdown escape propagation
  • #​33496: Use cached noop function
  • #​33497: Use template literals instead of concatenation
  • #​33499: Fix wrong carousel transformation, direction to order
  • #​33545: Use the backdrop util in offcanvas, enforcing consistency
  • #​33586: Tab.js: Fixes on click handling
  • #​33589: refactor: make static selectMenuItem method private
  • #​33612: tests: fix random BrowserStack failures in scrollbar
  • #​33626: Fix v5 regressions in tab dropdown functionality
  • #​33634: Dropdown: support .dropdown-item wrapped in <li> tags
  • #​33638: Fix toggle between modals example
  • #​33643: fix: clicking an item in navbar dropdown should not collapse the dropdown in firefox
  • #​33666: Modal.js: fix test for scrollbar
  • #​33677: Offcanvas.js: If scroll is allowed, should allow focus on other elements
  • #​33684: Don't change the value for altBoundary option
  • #​33706: Scrollbar: respect the initial body overflow value

📖 Docs

  • #​33446: Make offcanvas example fully static
  • #​33453: Add new docs footer
  • #​33521: The spacing margin side identifiers 's' and 'e' may be intuitive for …
  • #​33522: Clarify docs accordion example
  • #​33543: Update parcel.md
  • #​33553: Add example: Panels stay open
  • #​33567: Fixed wrong method name _getInstance
  • #​33571: footer: fix rel=noopener attribute
  • #​33583: docs: update clipboard.js to v2.0.8
  • #​33597: Docs: Fix wrong dark attribute in Table - Vertical Alignment
  • #​33632: Correct the heading for the States section
  • #​33638: Fix toggle between modals example
  • #​33664: Docs: fix W3C validation errors in list-group example
  • #​33668: Update anchor.js to v4.3.1.
  • #​33669: Change from preventOverflow to detectOverflow in boundary option
  • #​33675: Fix typo
  • #​33676: Fix Grid System docs
  • #​33685: docs: fix the default value of Popper's boundary option
  • #​33687: Fixes #​33686 typo in RTL docs
  • #​33690: Add Bootstrap Icons to alerts docs
  • #​33726: Replace modal and scrollspy placeholder content
  • #​33733: Tooltip/Popover — Minor doc updates
  • #​33735: Clarify boundary option description
  • #​33772: Improve overall new examples' accessibility
  • #​33782: Add new team members to the Teams page
  • #​33786: Docs: adding intro about web accessibility
  • #​33797: Update links to CCA, MQ5 prefers-reduced-motion, evergreen WCAG urls
  • #​33810: Tweak toast docs
  • #​33829: Update migration guide for some v5 changes
  • #​33832: Fix doc typo and Bootstrap Icons link
  • #​33833: refactor(docs): Added form file input variables
  • #​33834: Rewrite migration guide

Examples

  • #​33097: Update RTL examples
  • #​33759: fix: change margin breakpoints for bootstrap logo on double header
  • #​33681: Fixes signup form in Heroes example
  • #​33569: Improve responsiveness of Features examples

🌎 Accessibility

🏭 Tests

  • #​33578: Remove unnecessary data-bs-backdrop="static" from modal tests
  • #​33612: tests: fix random BrowserStack failures in scrollbar
  • #​33666: Modal.js: fix test for scrollbar
  • #​33734: Add missing test for clicking select option in a dropdown

🧰 Misc

📦 Dependencies

v4.6.2

Compare Source

Highlights

  • Added an example to our Collapse plugin docs to show how to use horizontal collapsing. This has long been possible via our JS, but we never had an official class to utilize it.
  • We've replaced the deprecated color-adjust with print-color-adjust in our Sass files as part of the Autoprefixer v10.4.6 issues. This should quiet the issues folks have seen from that dependency change. If you're using our distribution CSS files, like bootstrap.min.css, you may still see the warning.
  • Tweaked the size of small and .small to compute to a whole pixel value (was 12.8px and now is 14px).
  • Improved accessibility around our dropdowns, color contrast, and role attributes.
  • Fixed some broken links to supporting documentation.
  • Updated dependencies across the board.

What's Changed

New Contributors

Full Changelog: twbs/bootstrap@v4.6.1...v4.6.2

v4.6.1: 4.6.1

Compare Source

What's changed
Full changelog

twbs/bootstrap@v4.6.0...v4.6.1

v4.6.0

Compare Source

Highlights
  • Tooltips and popovers can have custom clases via customClass option.
  • Added new .navbar-nav-scroll class for scrolling expanded navbar contents on mobile devices.
  • For improved accessibiliy, spinners now slow down when prefers-reduced-motion is enabled.
  • v4.x docs are now built on Hugo for easier maintenance and backports from v5.x.
  • Darkened background-color of .dropdown-item for improved hover state contrast, and ligthened the disabled .dropdown-item color.
  • Improved alignment of form validation tooltips.
  • File inputs no longer extend beyond their containers.
CSS
  • #​31557: Fix form validation tooltip alignment
  • #​31657: Handle the Ubuntu sans-serif case
  • #​31700: Suppress flexbox side effects in breadcrumb
  • #​31882: Slow down spinners when prefers-reduced-motion
  • #​31886: Fixed: Undefined mixin "deprecate" when importing "bootstrap-grid-scss"
  • #​32141: Use correct value order
  • #​32145: Avoid invisible real file input "spilling" out of container
  • #​32160: Add overflow suppression to custom file label
  • #​32211: Move negative margin-bottom from .nav-item to .nav-link
  • #​32212: Remove needless Stylelint disables
  • #​32833: Add .navbar-nav-scroll for vertical scrolling of navbar content
  • Add two new variables for pagination border-radius values; backport of #​32423
  • Remove old/unnecessary reboot bug fix; backport of #​32631
  • Suppress focus outline for buttons when it shouldn't be visible in Chromium; backport of #​32689
  • Consistently use outline:0 rather than outline:none; backport of #​32751
  • Darken dropdown item hover style; backport of #​32754
  • Lighten disabled dropdown text to $gray-500
JS
  • #​31820: Check for data-interval on the first slide of carousel
  • #​31834/#​32225: tooltip/popover: add a customClass option
  • #​32001: Move js/src/index.js one folder up
  • #​32045: tests: fix sanitizer test
  • #​32220: Don't hide modal when config.keyboard is false
  • #​32312: build-plugins: switch to "bundled" for babel helpers
Docs
  • #​31861: Split up dropdown sizing docs to improve rendering
  • #​31892: Remove redundant visually hidden "(current)" from pagination controls
  • #​31893: manifest.json: Switch to relative URLs so that we don't need to change the path with every major/minor release
  • #​31898: switch to suggesting jsDelivr as a CDN
  • #​31904:
    • docs(forms): use a legend for fieldset instead of aria-label
    • docs(forms): fix incorrect legend nesting in fieldset
  • #​31936: forms: change inline custom radio name
  • #​31951: Update anchor-js to v4.3.0
  • #​31960: Explicitly mention emoji fonts, tweak sentence in typography
  • #​31981: list-group.md: fix snippet
  • #​32005: Remove bugreport.apple.com since it doesn't work
  • #​32015: Fix redirects
  • #​32050: Make docs anchorjs links darker on keyboard focus
  • #​32054: Add callouts about using light colors ideally on a dark background
  • #​32077: Switch to Hugo
  • #​32083: mention "Liberation Sans"
  • #​32087: download.md: link to JS files comparison too
  • #​32094: Changes to navbar documentation/explanation
  • #​32106: Clarify JS bundle docs once more for v4
  • #​32137: input-group.md: fix wrong class .visually-hidden
  • #​32138: navbar.md: remove loading=lazy from snippets
  • #​32147: Fix caniuse.com redirects
  • #​32151: Mention user-select-all support in docs
  • #​32196: homepage: split snippets and show copy buttons
  • #​32203: Switch to jsDelivr for the remaining docs assets
  • #​32223: introduction: split comments
  • #​32247: Fix typos in tooltip/popover docs
  • #​32253: Add Russian translation
  • #​32363: Remove useless .text-left in Layout / Overview
  • #​32399: Remove duplicated "follow Bootstrap on Twitter" link in Community section
  • #​32457: Add mention of the bs-custom-file-input plugin needed for the custom file input
  • #​32461: style clipboard button on :focus, not just :hover
  • #​32462: Replace Lorem Ipsum placeholder text with more representative (or at least english language) text
  • #​32634: Remove incorrect mention of dropdowns for dynamic tab behavior
  • #​32639: v4: Add an actual data-touch="false" example in the carousel docs
  • #​32728: add v5.0 in versions
  • #​32761: Mention stretched-link constraints with table elements
  • #​32789: Remove role="button" from CTA links in carousel example
  • #​32791: Docs v4: Sass implementation and rounding precision
  • #​32809:
    • Clarify Sass import and customize docs for how to modify variable defaults
    • Add an npm starter project callout to a few pages
  • #​32827: Add a live toast example to the docs
  • #​32759: Mention CSP and embedded SVGs in v4 docs
  • docs(dropdowns): clarify where is .show applied
  • Require .has-validation for input groups with validation
  • Fix mobile menu jump & double border
  • Remove double spaces from homepage SVGs
  • browserconfig.xml: switch to relative image path
  • Tweak the wording for collapse to indicate button is preferred/more semantic; backport of #​32632
  • Clarify the $enable-shadows option in our docs; backport of #​32685
Examples
  • #​31979: v4 Examples/Floating-labels: fix bad behavior with autofill
  • #​32198: examples: add the version number in title
Misc
  • #​29753: Improve build/generate-sri.js regex
  • #​32003: CI: switch to Node.js 14
  • #​32008: Update Edge's Rendering Engine on CONTRIBUTING.md
  • #​32486: BrowserStack: test on macOS Catalina instead of High Sierra
  • #​32756: Stylelint: disallow some property values
  • Fix for npm 7.x package.json: move version_short variable under the config object; backport of #​32737
  • Update build-examples script so that the resulting examples zip file includes only the needed files
  • Various CI tweaks
  • Updated devDependencies

v4.5.3

Compare Source

CSS
  • #​31653: Add a comment to our escape-svg function to note that data URIs must be quoted.
  • #​31693: Use the custom-control shadow variable instead of the generic input-focus-box-shadow.
  • #​31793: Backport some v5 changes (improved th styling in Reboot, custom form field styling when printing, and improvements to .text-break).
    • #​29714: Keep custom check, radio, and switch theme when printing.
    • #​30781: Reboot's th updates: Inherit font-weight: bold that comes from user agent stylesheets.
    • #​30932: .text-break changes to drop overflow-wrap and use word-wrap once again
    • #​31754: Improve versions page rendering (also reversed the order while I was here)
  • #​31846: Backports the z-index change to .close buttons in dismissible .alerts.
JS
  • #​31000: Avoid multiple change event trigger in buttons plugin. Not applicable to v5 since our button JS plugin has been mostly replaced with pure CSS.
  • #​31673: Fix dropdown variable always evaluating to true.
  • #​31696: Ensure hidePrevented.bs.modal can be prevented.
  • #​31718: Backports new $dropdown-padding-x variable from v5.
Docs
  • #​30811: Mention GPU acceleration fix in docs callout for popovers. Doesn't apply to v5 since we're updating to Popper v2.
  • #​30838: Explain the dispose method more appropriately.
  • #​31706: Backports updated margins for code snippets for improved readability.
  • #​31769: Backports JS bundle guidance from v5.
  • #​31851: Backports mention of missing to and nextwhenvisible methods.
Misc
  • #​31297: Switch to xo ESLint config
  • Updated devDependencies versions

v4.5.2

Compare Source

This release addresses the following two issues:

  • #​31438 restores the make-container-max-widths mixin. We won't be using the mixin ourselves, but it will remain in the codebase for the rest of v4 with today's release. We've added a deprecation notice as well.
  • #​31439 removes flex: 1 0 100% from .rows. This was added to address shrinking rows inside the navbar component after our responsive containers were added in v4.4.0. Removing this rolls us back to the expected grid and flex behavior—your row will shrink unfortunately without further changes. We could add extra custom CSS to address this, but it seems shortsighted to rush into that. Instead, apply .flex-fill to the .row and your row will behave as usual.

v4.5.1

Compare Source

CSS
  • #​30808: Simplify list-group borders in cards
  • #​30810: Add z-index to .custom-check to fix their rendering in CSS columns
  • #​30817: Add border-radius to .card-img-overlay
  • #​30830: Prevent conflicts with components with classes
  • #​30922: Fix color on disabled checked state for custom controls
  • #​30932: Restore word-break: break-word; on .text-break utility.
  • #​30940: Prevent .row from shrinking in flex containers
  • #​30957: Nullify custom form states' box-shadow
  • #​30959: Toasts in IE11
  • #​30960: Fix IE11 validation tooltip alignment in input groups
  • #​30965: Improve floating labels example in IE
  • #​30966: Improve floating labels with Edge and a general refactor
  • #​30969: Remove duplicated container breakpoints in compiled CSS
  • #​30999: Revert min-width: 0 on .col due to unforeseen side effects
  • #​31148: Remove duplicate properties on custom controls
  • #​31165: Remove backdrop-filter from docs subnav and toasts
  • #​31339: Add link to view docs pages on GitHub
  • #​31347: Turn off scroll anchoring for accordions
  • #​31381: Remove overflow: hidden from toasts
JavaScript
  • #​30326: Prevent overflowing static backdrop modal animation
  • #​30936: Add role="dialog" in modals via JavaScript
  • #​30992: Avoid preventing input event onclick
  • #​31155: Clear timeout before showing the toast
Build
Docs
  • #​30809: Update docs callout for responsive SVG images
  • #​30813: Mention Bootstrap Icons in extend/icons.md page
  • #​30896: Improve wording on Downloads page
  • #​30897: Prevent skip links from overlapping header in docs
  • #​30973: Update some nav examples by removing .nav-item from .nav-link to be more consistent
  • #​31070: Fix some broken examples and typos
  • #​31135: Move color utility callouts to start of page
  • #​31234: Clean up docs forms for accessibility
  • #​31344: Mention toasts in the components requiring JavaScript page

v4.5.0

Compare Source

Highlights
  • New interaction utilities. Quickly set user-select with the new utilities and Sass map.
  • New Reboot style for pointer cursors. We now include a role="button" selector in Reboot to set cursor: pointer on non-<button> element buttons.
  • Examples are now downloadable. We've added a script to zip up and offer all our Examples as their own download from the docs.
  • Saved ~5% from the compressed minified JS builds.
  • Added guidance to our docs for how to work around our longstanding input group rounded corner bug.
  • Redesigned docs homepage and navbar to increment us towards v5's new docs design.
  • Deprecated bg-gradient-variant mixin as it's being removed in v5.
  • Updated to jQuery v3.5.1, Jekyll v4, and dropped Node.js < 10 for development.
CSS
  • #​29413: Prevent vertical offset on progress bar in IE11
  • #​29745: Add display: flex on .breadcrumb-item
  • #​29819: Allow percentages in container widths
  • #​29857: Escape brackets
  • #​29946: Added new variable for padding on dropdown header
  • #​30004: Fixes disabled .btn cursor
  • #​30036: Added focus state to .btn-link
  • #​30043: Fix IE auto-size input-group to column
  • #​30049: Prevent grid with default cols from breaking when large pre is present by setting min-width: 0
  • #​30074: Use word-wrap in .text-break for IE and Edge compatibility
  • #​30166: Avoid border-radius functions returning negative values
  • #​30183: Remove unnecessary reduce motion when $enable-transition: false
  • #​30244: Fix centered modal scrolling issue
  • #​30262: Prevent link underline change from affecting some components
  • #​30361: Remove appearance from date inputs
  • #​30391: Prevent redundant transition: none in transition()` mixin
  • #​30497: Fix card list group borders & radii
  • #​30504: Fix spinner-grow animation in Safari
  • #​30515: Add .card-footer color
  • #​30555, #​30512, #​30480: Use box-shadow mixin for .form-select, .btn, and other form controls
  • #​30562: Added new interaction utilities for user-select and a new - role="button" in Reboot to set cursor: pointer.
  • #​30582: Delete unnecessary appearance: none from button.close
  • #​30594: Deprecate bg-gradient-variant mixin
  • #​30605, #​30606: Grid now checks for for $grid-columns > 0
  • #​30609: Checks for an empty $grid-breakpoints map list to remove all breakpoints
  • #​30660: Prevent list group style leaks
  • #​30685: Disable auto-hiding scrollbar in IE and legacy Edge
JavaScript
  • #​29986: Close modal with keyboard=true & backdrop=static
  • #​29968: sanitizer.js: Add srcset in the allowed attributes
  • #​30381: Updated tab.js to address accessibility issue when using ul/li semantic
  • #​30383: ensure totype always return stringified null when null passed
  • #​30388: enable button toggle on label when checkbox is inside
  • #​30490: Switch to string constants to save ~5% on compressed file size
  • #​30510, #​30511: Fix event propagation from inactive and disabled dropdowns
  • #​30744: ensure build plugins can exit in error
  • #​30772: Prevent scrollbar replacement on non-integer width
  • 22f75c: scrollspy: only accept valid Elements as input for target
Docs
  • Redesigned docs homepage
  • Improved tap target sizing in our navigation
  • Added examples for our input group border-radius workaround
  • Added warning to browser bugs page that it's no longer maintained
  • Added loading="lazy" for images
  • #​29782: Improve wrapping and hit area of accordion example titles
  • #​29820: move width after make-container() mixin
  • #​29937: Add missing Noto Sans font to font stack
  • #​29956: Add Microsoft Edge for macOS to supported browsers
  • #​30130: Added ability to zip and download our Examples
  • #​30175: Add version number in page titles
  • #​30180: Changed input group validation examples to reflect issues with input group
  • #​30207: Headings hierarchy in theming.md
  • #​30325: Updated modal docs to simplify data-target usage and more
  • #​30416: Clarify card group behavior
  • #​30469: Remove holder.js leftovers
  • #​30505: Use existing position utility in navbar example
  • #​30695: make the check for URL stricter in our docs search
  • #​30755: Removed role="document" from the modal dialog
Examples
  • #​29886: Fix checkout page forms
  • #​30573: Improve the responsiveness of our Dashboard example
Dependencies
  • Updated jQuery to v3.5.1
  • Replaced bundlesize with bundlewatch
  • Updated to Jekyll v4
  • Drop Node.js < 10
  • Misc devDependencies updates

v4.4.1

Compare Source

v4.4.0

Compare Source

Highlights

Here's what you need to know about v4.4.0. Remember that with every minor and major release of Bootstrap, we ship a new URL for our hosted docs to ensure URLs continue to work.- New responsive containers! Over a year in the making, fluid up to a particular breakpoint, available for all responsive tiers.

  • New responsive .row-cols classes for quickly specifying the number of columns across breakpoints. This one is huge for those of you who have asked for responsive card decks.
  • New escape-svg() function for simplifying our embedded background-image SVGs for forms and more.
  • New add() and subtract() functions for avoiding errors and zero values from CSS's built in calc feature.
  • New make-col-auto() mixin to make our .col-auto class available with custom HTML.
  • Fixed an issue with Microsoft Edge not picking up :disabled styles by moving selectors to [disabled].
  • Deprecated: bg-variant(), nav-divider(), and form-control-focus() mixins are now deprecated as they're going away in v5.
  • Updated our spacing and alignment for modal footer elements like buttons to automatically wrap when space is constrained.
  • More flexible form control validation styles thanks to fewer chained selectors. Also updated the :invalid validation icon to be an alert instead of an &times; to avoid confusion with browser functionality for clearing the form field value.
  • Fixed a couple dozen CSS and JS bugs.
  • Moved to GitHub Actions for CI/CD! Expect more updates to our CI setup over time here while Actions evolves.
  • Updated documentation to fix links and typos, improved landmarks for secondary navigation, and a new security doc for guidelines on reporting potential vulnerabilities.
Links

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants