[Security] Bump bootstrap from 3.3.7 to 5.0.2

Open dependabot-preview[bot] opened this issue 4 years ago • 0 comments

Bumps bootstrap from 3.3.7 to 5.0.2. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects bootstrap In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.

Affected versions: < 3.4.0

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects bootstrap In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.

Affected versions: < 4.1.2

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects bootstrap In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute. Note that this is a different vulnerability than CVE-2018-14041.

See https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ for more info.

Affected versions: >= 3.0.0 < 3.4.0

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects bootstrap In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Affected versions: < 3.4.0

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects bootstrap In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Affected versions: < 3.4.0

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects bootstrap and bootstrap-sass In Bootstrap 4 before 4.3.1 and Bootstrap 3 before 3.4.1, XSS is possible in the tooltip or popover data-template attribute. For more information, see: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

Affected versions: >= 3.0.0 < 3.4.1

Release notes

Sourced from bootstrap's releases.

v5.0.2

🚀 Features

#34052: Automatically select an item in the dropdown when using arrow keys

🎨 CSS

#33621: Allow individual grid classes to override .row-cols

#34008: Fix x-paddings for select (with floating label, and in Firefox)

#34026: Set the correct color for popover header bottom border

#34034: Add missing transition to .form-select

#34044: Fix wrong comment text for tooltip

#34047: Handle complex expressions in add() & subtract()

#34048: Decouple --bs-table-bg and --bs-table-accent-bg

#34062: Document how to make utilities responsive using the API

#34124: fix(dropdowns): RTL for .dropdown-menu-*

#34161: fix(forms): unitless line-height for floating labels

#34223: docs(style): fix display of nested <ul><li>

#34245: Replace / division with multiplication and custom divide() function

#34255: Don't set auto margin on offcanvas close

#34281: Fix lingering Sass math

#34283: Update the divide() function and RFS

#34332: Fix another Sass division

☕️ JavaScript

#33276: Add getOrCreateInstance method in base-component

#33371: Popover & Tooltip: Allow dispose/hide methods usage through jQueryIntreface

#33608: Utils: add getNextActiveElement helper function

#33845: Fix handling of transitionend events dispatched by nested elements

#33928: Reset inside a Dialog does not work if data-dismiss="modal" is set

#33947: Refactor scrollbar.js to be used as a Class

#33948: Add tests for scrollbar.js & better handling if a style property doesn't exist

#33960: fix isVisible false positives from deep nesting or alternate means

#33982: Don't add empty content holder when there is no content available

#34014: Fix backdrop "Cannot read property 'removeChild' of null" when removed from body

#34052: Automatically select an item in the dropdown when using arrow keys

#34070: Fix test of #34014

#34071: Change element.parentNode.removeChild(element) to element.remove()

#34085: Fix prevented show event disables modals with fade class from being displayed again

#34092: Backdrop: Fix stale body by removing unnecessary default

#34158: Register only one DOMContentLoaded event listener in onDOMContentLoaded

#34266: Fix carousel buttons

#34307: fix(carousel): arrow keys break animation if carousel sliding

📖 Docs

#33724: Nav-tabs documentation example: Adjust example to querySelectorAll

#33749: add Bootstrap 5 Simplified Chinese translation

#34009: Drop BlinkMacSystemFont in docs

... (truncated)

Commits

688bce4 Release v5.0.2 (#34276)
16d5041 Fix another Sass division (#34332)
4927388 Register only one DOMContentLoaded event listener in onDOMContentLoaded (...
56b0004 Bump sass from 1.32.13 to 1.35.1 (#34285)
c11c3a7 Update rfs to v9.0.4.
ed13d01 Update the divide() function
290b9ee fix(carousel): arrow keys break animation if carousel sliding (#34307)
8be957b Bump @babel/preset-env from 7.14.5 to 7.14.7 (#34326)
0fa84e8 build/vnu-jar.js: clean up ignores (#34279)
58a3731 Bump rollup from 2.52.1 to 2.52.2 (#34325)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by xhmikosr, a new releaser for bootstrap since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
@dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

Update frequency (including time of day and day of week)
Pull request limits (per update run and/or open at any time)
Automerge options (never/patch/minor, and dev/runtime dependencies)
Out-of-range updates (receive only lockfile updates, if desired)
Security updates (receive only security updates, if desired)

Jun 22 '21 21:06 dependabot-preview[bot]