fix(deps): update dependency bootstrap to v4.3.1 [security]#38560
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Open
fix(deps): update dependency bootstrap to v4.3.1 [security]#38560renovate[bot] wants to merge 1 commit intomasterfrom
renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
renovate
Bot
force-pushed
the
renovate/npm-bootstrap-vulnerability
branch
5 times, most recently
from
890ebcc to
88089e4
Compare
renovate
Bot
force-pushed
the
renovate/npm-bootstrap-vulnerability
branch
from
88089e4 to
a95747c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.0.0→4.3.1Bootstrap Cross-site Scripting vulnerability
CVE-2018-14041 / GHSA-pj7m-g53m-7638
More information
Details
In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Bootstrap Vulnerable to Cross-Site Scripting
CVE-2019-8331 / GHSA-9v3m-8fp8-mj99
More information
Details
Versions of
bootstrapprior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). Thedata-templateattribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.Recommendation
For
bootstrap4.x upgrade to 4.3.1 or later.For
bootstrap3.x upgrade to 3.4.1 or later.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Bootstrap vulnerable to Cross-Site Scripting (XSS)
CVE-2018-14040 / GHSA-3wqf-4x89-9g79
More information
Details
In Bootstrap starting in version 2.3.0 and prior to 3.4.0, as well as 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Bootstrap Cross-site Scripting vulnerability
CVE-2018-14042 / GHSA-7mvr-5x2g-wfc8
More information
Details
In Bootstrap starting in version 2.3.0 and prior to versions 3.4.0 and 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
twbs/bootstrap (bootstrap)
v4.3.1Compare Source
v4.3.0Compare Source
Highlights
.stretched-linkutility to make any anchor the size of it's nearestposition: relativeparent, perfect for entirely clickable cards!.text-breakutility for applyingword-break: break-word.rounded-smand.rounded-lgfor small and largeborder-radius..modal-dialog-scrollablemodifier class for scrolling content within a modal..list-group-horizontalmodifier classes for displaying list groups as a horizontal row.nullfor variables that by default inherit their values from other elements (e.g.,$headings-colorwasinheritand is nownulluntil you modifier it in your custom CSS).background-colorlike our buttons.hrefHTML attribute to avoid JavaScript errors. Please try to use valid selectors or thedata-targetHTML attribute/targetoption where available.white-space: nowrapto.dropdown-toggle(before v4.2.1 it was on all.btns) so carets don't wrap to new lines.img-retina,invisible,float, andsizemixins are now deprecated and will be removed in v5.Links
v4.2.1Compare Source
Bump to v4.2.1 to republish package on npm. See v4.2.0 release notes for changes introduced in v4.2.
v4.1.3Compare Source
:not(:root)selector from oursvgReboot styles, resolving an issue that caused all inline SVGs ignorevertical-alignstyles via single class due to higher specificity.package.jsonto a separate file to avoid unintended inherited browser settings across npm projects..form-controls now have a fixedheightto compensate for differences in computed height across differenttypes. This also fixes some IE alignment issues.Noto Color Emojito our system font stack for better rendering in Linux OSes.v4.1.2Compare Source
Checkout the v4.1.2 ship list and GitHub project for the full details.
v4.1.1Compare Source
Our first patch release for Bootstrap 4! Here's a quick rundown of some of the changes:
text-hidedeprecation notice by defaultCheckout the v4.1.1 ship list and GitHub project for the full details.
v4.1.0Compare Source
.carousel-fademodifier to switch carousel from horizontal sliding to crossfade..dropdown-item-textfor plaintext dropdown items..flex-fill,.flex-grow-*, and.flex-shrink-*utilities..table-borderlessvariant for tables..text-monospaceutility..text-body(default body color),.text-black-50(50% opacity black), and.text-white-50(50% opacity white) utilities..shadow-*utilities for quickly addingbox-shadows..text-hide—you'll see a warning during compilation—as it's a dated and undocumented feature.Be sure to look at the ship list and project board for more details on all our fixes.
Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.