Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[deps] Auth: Update bootstrap to v5 [SECURITY] #4881

Merged
merged 29 commits into from
Nov 19, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 11, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
bootstrap (source) 4.6.2 -> 5.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-6531

A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.


Release Notes

twbs/bootstrap (bootstrap)

v5.0.0

Compare Source

Highlights

#​32155: Updated make-col() mixin to generate equal columns when no size is specified
#​32763: Added new color-scheme() mixin
#​33389: Dropdown menus now have option become clickable
#​33453: Added new docs footer
#​33548: Offcanvas header components are now vertically aligned
#​33549: Added offcanvas-top modifier
#​33634: Added support for .dropdown-items wrapped in <li>s
#​33626: Fix v5 regressions in tab dropdown functionality

🚀 Features

  • #​32763: Add color-scheme mixin
  • #​33389: Dropdown — Add option to make the dropdown menu clickable
  • #​33549: Add offcanvas-top modifier

🎨 CSS

  • #​32155: Add equal column mixin
  • #​32763: Add color-scheme mixin
  • #​33292: Make accordion icon rotation more natural
  • #​33411: Fix validation feedback icon in select multiple
  • #​33478: Make .nav-link color consistent when using buttons
  • #​33482: Dropdown — Apply positioning only when Popper is not used
  • #​33548: Vertically align offcanvas header components
  • #​33549: Add offcanvas-top modifier
  • #​33550: Spinner alignment changes
  • #​33598: Hide validation icons from multiple selects
  • #​33600: Have $form-check-input-border's default derive from $black
  • #​33607: Reduce color-scheme complexity
  • #​33642: use :read-only css selector instead [readonly] for consistency
  • #​33658: fix: use list-group variable instead of alert
  • #​33736: accordion: fix border-top on Firefox

☕️ JavaScript

  • #​32439: Decouple BackDrop from modal
  • #​33245: Decouple Modal's scrollbar functionality
  • #​33249: Simplify Modal Config
  • #​33250: Simplify ScrollSpy config
  • #​33310: fix: make EventHandler better handle mouseenter/mouseleave events
  • #​33389: Dropdown — Add option to make the dropdown menu clickable
  • #​33429: Remove element event listeners through base component
  • #​33451: Add missing things in hide method of dropdown
  • #​33456: Use our isDisabled util on dropdown
  • #​33466: Refactor dropdown's hide functionality
  • #​33479: Fix dropdown escape propagation
  • #​33496: Use cached noop function
  • #​33497: Use template literals instead of concatenation
  • #​33499: Fix wrong carousel transformation, direction to order
  • #​33545: Use the backdrop util in offcanvas, enforcing consistency
  • #​33586: Tab.js: Fixes on click handling
  • #​33589: refactor: make static selectMenuItem method private
  • #​33612: tests: fix random BrowserStack failures in scrollbar
  • #​33626: Fix v5 regressions in tab dropdown functionality
  • #​33634: Dropdown: support .dropdown-item wrapped in <li> tags
  • #​33638: Fix toggle between modals example
  • #​33643: fix: clicking an item in navbar dropdown should not collapse the dropdown in firefox
  • #​33666: Modal.js: fix test for scrollbar
  • #​33677: Offcanvas.js: If scroll is allowed, should allow focus on other elements
  • #​33684: Don't change the value for altBoundary option
  • #​33706: Scrollbar: respect the initial body overflow value

📖 Docs

  • #​33446: Make offcanvas example fully static
  • #​33453: Add new docs footer
  • #​33521: The spacing margin side identifiers 's' and 'e' may be intuitive for …
  • #​33522: Clarify docs accordion example
  • #​33543: Update parcel.md
  • #​33553: Add example: Panels stay open
  • #​33567: Fixed wrong method name _getInstance
  • #​33571: footer: fix rel=noopener attribute
  • #​33583: docs: update clipboard.js to v2.0.8
  • #​33597: Docs: Fix wrong dark attribute in Table - Vertical Alignment
  • #​33632: Correct the heading for the States section
  • #​33638: Fix toggle between modals example
  • #​33664: Docs: fix W3C validation errors in list-group example
  • #​33668: Update anchor.js to v4.3.1.
  • #​33669: Change from preventOverflow to detectOverflow in boundary option
  • #​33675: Fix typo
  • #​33676: Fix Grid System docs
  • #​33685: docs: fix the default value of Popper's boundary option
  • #​33687: Fixes #​33686 typo in RTL docs
  • #​33690: Add Bootstrap Icons to alerts docs
  • #​33726: Replace modal and scrollspy placeholder content
  • #​33733: Tooltip/Popover — Minor doc updates
  • #​33735: Clarify boundary option description
  • #​33772: Improve overall new examples' accessibility
  • #​33782: Add new team members to the Teams page
  • #​33786: Docs: adding intro about web accessibility
  • #​33797: Update links to CCA, MQ5 prefers-reduced-motion, evergreen WCAG urls
  • #​33810: Tweak toast docs
  • #​33829: Update migration guide for some v5 changes
  • #​33832: Fix doc typo and Bootstrap Icons link
  • #​33833: refactor(docs): Added form file input variables
  • #​33834: Rewrite migration guide

Examples

  • #​33097: Update RTL examples
  • #​33759: fix: change margin breakpoints for bootstrap logo on double header
  • #​33681: Fixes signup form in Heroes example
  • #​33569: Improve responsiveness of Features examples

🌎 Accessibility

🏭 Tests

  • #​33578: Remove unnecessary data-bs-backdrop="static" from modal tests
  • #​33612: tests: fix random BrowserStack failures in scrollbar
  • #​33666: Modal.js: fix test for scrollbar
  • #​33734: Add missing test for clicking select option in a dropdown

🧰 Misc

📦 Dependencies


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner October 11, 2024 19:25
@renovate renovate bot requested a review from ike-kottlowski October 11, 2024 19:25
@renovate renovate bot added the security label Oct 11, 2024
@renovate renovate bot requested a review from a team October 11, 2024 19:25
Copy link

codecov bot commented Oct 11, 2024

Codecov Report

Attention: Patch coverage is 0% with 31 lines in your changes missing coverage. Please review.

Project coverage is 42.66%. Comparing base (e16cad5) to head (74302b7).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
src/Admin/Views/Tools/StripeSubscriptions.cshtml 0.00% 31 Missing ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4881   +/-   ##
=======================================
  Coverage   42.66%   42.66%           
=======================================
  Files        1411     1411           
  Lines       65087    65087           
  Branches     5959     5959           
=======================================
  Hits        27772    27772           
  Misses      36075    36075           
  Partials     1240     1240           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.


🚨 Try these New Features:

@ike-kottlowski
Copy link
Contributor

We do not use the carrousel component, so this security finding does not affect us directly.

We do still wish to update to Version 5. But the lift to update the UI is larger and is impacting other flows.

@renovate renovate bot force-pushed the renovate/npm-bootstrap-vulnerability branch from b710e41 to e81cb7f Compare October 11, 2024 21:05
@renovate renovate bot force-pushed the renovate/npm-bootstrap-vulnerability branch from e81cb7f to 19cd403 Compare October 12, 2024 00:12
@bitwarden-bot bitwarden-bot changed the title [deps] Auth: Update bootstrap to v5 [SECURITY] [PM-13475] [deps] Auth: Update bootstrap to v5 [SECURITY] Oct 12, 2024
@bitwarden-bot
Copy link

Internal tracking:

@renovate renovate bot changed the title [PM-13475] [deps] Auth: Update bootstrap to v5 [SECURITY] [deps] Auth: Update bootstrap to v5 [SECURITY] Oct 12, 2024
@r-tome
Copy link
Contributor

r-tome commented Oct 21, 2024

I agree with @ike-kottlowski, updating all the UI is quite an effort. I ran a build from this branch locally, and all the CSS styles were broken.

@r-tome r-tome requested review from a team as code owners October 31, 2024 11:06
@@ -49,3 +53,11 @@ h3 {
.form-check-input {
margin-top: .45rem;
}

a {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bootstrap 5 automatically adds an underline to hyperlinks. This change removes the underline to match the Bootstrap 4 style.

@r-tome
Copy link
Contributor

r-tome commented Nov 14, 2024

Sent Rui a comment that we fast-follow this with a bump to the latest Bootstrap v5.

@withinfocus I needed to adjust the appearance of hyperlinks, so I took the opportunity to upgrade Bootstrap to the latest version

withinfocus
withinfocus previously approved these changes Nov 14, 2024
Copy link
Contributor

@withinfocus withinfocus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

eliykat
eliykat previously approved these changes Nov 15, 2024
ike-kottlowski
ike-kottlowski previously approved these changes Nov 15, 2024
@r-tome r-tome requested review from eliykat and a team and removed request for cturnbull-bitwarden November 18, 2024 16:24
@r-tome r-tome merged commit b2b0f1e into main Nov 19, 2024
52 checks passed
@r-tome r-tome deleted the renovate/npm-bootstrap-vulnerability branch November 19, 2024 12:04
vgrassia pushed a commit to vgrassia/server that referenced this pull request Nov 21, 2024
* [deps] Auth: Update bootstrap to v5 [SECURITY]

* Update bootstrap and import dependencies in site.scss

* Update site.scss to include the theme color 'dark'

* Refactor site.scss to merge the 'primary-accent' theme color into the existing theme colors

* Update bootstrap classes for v5

* Refactor form layout in Index.cshtml and AddExistingOrganization.cshtml

* Revert change to the shield icon in the navbar

* Fix organization form select inputs

* Fixed search input sizes

* Fix elements in Providers and Users search

* More bootstrap migration

* Revert change to tax rate delete button

* Add missing label classes in Users/Edit.cshtml

* More component migrations

* Refactor form classes and labels in CreateMsp.cshtml and CreateReseller.cshtml

* Update package dependencies in Sso

* Revert changes to Providers/Edit.cshtml

* Refactor CreateMultiOrganizationEnterprise.cshtml and Providers/Edit.cshtml for bootstrap 5

* Refactor webpack.config.js to use @popperjs/core instead of popper.js

* Remove popperjs package dependency

* Restore Bootstrap 4 link styling behavior

- Remove default text decoration
- Add underline only on hover

* Update Bootstrap to version 5.3.3

* Update deprecated text color classes from 'text-muted' to 'text-body-secondary' across various views

* Refactor provider edit view for bootstrap 5

* Remove underline in Add/Create organization links in provider page

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Rui Tome <[email protected]>
Co-authored-by: Rui Tomé <[email protected]>
vgrassia pushed a commit to vgrassia/server that referenced this pull request Nov 21, 2024
* [deps] Auth: Update bootstrap to v5 [SECURITY]

* Update bootstrap and import dependencies in site.scss

* Update site.scss to include the theme color 'dark'

* Refactor site.scss to merge the 'primary-accent' theme color into the existing theme colors

* Update bootstrap classes for v5

* Refactor form layout in Index.cshtml and AddExistingOrganization.cshtml

* Revert change to the shield icon in the navbar

* Fix organization form select inputs

* Fixed search input sizes

* Fix elements in Providers and Users search

* More bootstrap migration

* Revert change to tax rate delete button

* Add missing label classes in Users/Edit.cshtml

* More component migrations

* Refactor form classes and labels in CreateMsp.cshtml and CreateReseller.cshtml

* Update package dependencies in Sso

* Revert changes to Providers/Edit.cshtml

* Refactor CreateMultiOrganizationEnterprise.cshtml and Providers/Edit.cshtml for bootstrap 5

* Refactor webpack.config.js to use @popperjs/core instead of popper.js

* Remove popperjs package dependency

* Restore Bootstrap 4 link styling behavior

- Remove default text decoration
- Add underline only on hover

* Update Bootstrap to version 5.3.3

* Update deprecated text color classes from 'text-muted' to 'text-body-secondary' across various views

* Refactor provider edit view for bootstrap 5

* Remove underline in Add/Create organization links in provider page

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Rui Tome <[email protected]>
Co-authored-by: Rui Tomé <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants