Bootstrap 4.0.0 represents a significant leap forward from the earlier 3.4.1, marking a pivotal shift in how developers build responsive web projects. A key architectural change is the migration from Less to Sass for CSS preprocessing, granting greater flexibility and customization options. The peer dependency on jQuery remains but the 4.0.0 version adds popper.js as a peer dependency, which is essential for advanced positioning of elements, like tooltips and popovers.
The core grid system underwent a complete rewrite, embracing flexbox, enabling more powerful and efficient layouts. New components, such as cards, added to the framework's versatility. Furthermore, it dropped support for IE8 and older browsers, allowing the team to make use of modern CSS that greatly simplifies many tasks.
Looking at the developer tooling, Bootstrap 4.0.0 embraces a more modern workflow. While both versions rely on tools like shx, glob, and karma for development tasks, Bootstrap 4.0.0 introduces rollup for bundling and makes extensive use of Babel for transpilation, ensuring compatibility with different JavaScript environments, as well as tools like bundlesize and workbox-build to improve the performance. The older version had a strong focus on Grunt tasks.
The move to Bootstrap 4.0.0 empowered developers with modern tools and techniques, resulting in more streamlined and robust front-end development workflows. Developers could expect easier customization, better performance and many new components for creating modern web applications. The newer toolchain also helps developers to maintain the library, test it and publish it.
All the vulnerabilities related to the version 4.0.0 of the package
Bootstrap vulnerable to Cross-Site Scripting (XSS)
In Bootstrap starting in version 2.3.0 and prior to 3.4.0, as well as 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute.
Bootstrap Cross-site Scripting vulnerability
In Bootstrap starting in version 2.3.0 and prior to versions 3.4.0 and 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.
Bootstrap Cross-site Scripting vulnerability
In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.
Bootstrap Vulnerable to Cross-Site Scripting
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
For bootstrap 4.x upgrade to 4.3.1 or later.
For bootstrap 3.x upgrade to 3.4.1 or later.
Bootstrap Cross-Site Scripting (XSS) vulnerability
A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.
