Fixed a breaking change introduced with color modes where it was required to manually import variables-dark.scss when building Bootstrap with Sass. Now, _variables.scss will automatically import _variables-dark.scss. If you were already importing _variables-dark.scss manually, you should keep doing it as it won't break anything and will be the way to go in v6.
Fixed a regression in the selector engine that wasn't able to handle multiple IDs anymore.
Color modes
Badges now use the .text-bg-* text utilities to be certain that the text is always readable (especially when the customized colors are different in light and dark modes).
Fixed our color-modes.js script to handle the case where the OS is set to light mode and the auto color mode is used on the website. If you copied the script from our docs, you should apply this change to your own script.
Fixed color schemes description in the color modes documentation to show that color-scheme() only accept light and dark values as parameters.
Miscellaneous
Allowed <dl>, <dt> and <dd> in the sanitizer.
Dropped evenly items distribution for modal and offcanvas headers.
Fixed the accordion CSS selectors to avoid inheritance issues when nesting accordions.
Fixed the focus box-shadow for the validation stated form controls.
Fixed the focus ring on focused checked buttons.
Fixed the product example mobile navbar toggler.
Changed the RTL processing of carousel control icons.
🎨 CSS
#37508: Use child combinators to avoid inheriting parent accordion's flush styles
#38719: Fix focus box-shadow for validation stated form-controls
Added better configurability for comment scrubbing default behavior
Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu
Added better handling and readability of the nodeType property, thanks @ssi02014
Fixed some smaller issues in README and other documentation
DOMPurify 3.1.2
Addressed and fixed a mXSS variation found by @kevin-mizu
Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
Updated tests for older Safari and Chrome versions
DOMPurify 3.1.1
Fixed an mXSS sanitiser bypass reported by @icesfont
Added new code to track element nesting depth
Added new code to enforce a maximum nesting depth of 255
Added coverage tests and necessary clobbering protections
Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.
DOMPurify 3.1.0
Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
Updated README to warn about happy-dom not being safe for use with DOMPurify yet
Updated the LICENSE file to show the accurate year number
Updated dependencies, notably tough-cookie, which no longer prints a deprecation warning.
Version 25.0.0
This major release changes the prototype of a jsdom's EventTarget.prototype to point to the Object.prototype inside the jsdom, instead of pointing to the Node.js Object.prototype. Thus, the prototype chain of Window stays entirely within the jsdom, never crossing over into the Node.js realm.
This only occurs when runScripts is set to non-default values of "dangerously" or "outside-only", as with the default value, there is no separate Object.prototype inside the jsdom.
This will likely not impact many programs, but could cause some changes in instanceof behavior, and so out of an abundance of caution, we're releasing it as a new major version.
Version 24.1.3
Fixed calls to postMessage() that were done as a bare property (i.e., postMessage() instead of window.postMessage()).
Version 24.1.2
Fixed an issue with the in operator applied to EventTarget methods, e.g. 'addEventListener' in window, which only appeared in Node.js ≥22.5.0. (legendecas)
Fixed the events fired by blur(): it no longer fires focus and focusin on the Document, and blur and focusout no longer have their relatedTarget property set. (asamuzaK)
Version 24.1.1
Fixed selection methods to trigger the selectionchange event on the Document object. (piotr-oles)
Version 24.1.0
Added the getSetCookie() method to the Headers class. (ushiboy)
Fixed the creation and parsing of elements with names from Object.prototype, like "constructor" or "toString".
Updated rweb-cssom, which can now parse additional CSS constructs.
Since reverting to nwsapi causes several functionality regressions, e.g. removing :has() support, we've decided to make this a major version.
Additionally:
Small fixes to edge-case behavior of the following properties: input.maxLength, input.minLength, input.size, progress.max, tableCell.colSpan, tableCell.rowSpan, tableCol.span, textArea.cols, textArea.maxLength, textArea.minLength, textArea.rows.
Version 23.2.0
This release switches our CSS selector engine from nwsapi to @asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.
There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.
Version 23.1.0
Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
Added the string-valued ARIA attribute-reflecting properties to Element.
Fixed history.pushState() and history.replaceState() to follow the latest specification, notably with regards to how they handle empty string inputs and what new URLs are possible.
Fixed the input.valueAsANumber setter to handle NaN correctly. (alexandertrefz)
Updated various dependencies, including cssstyle which contains several bug fixes.
Version 23.0.1
Fixed the incorrect canvas peer dependency introduced in v23.0.0.
Updated dependencies, notably tough-cookie, which no longer prints a deprecation warning.
25.0.0
This major release changes the prototype of a jsdom's EventTarget.prototype to point to the Object.prototype inside the jsdom, instead of pointing to the Node.js Object.prototype. Thus, the prototype chain of Window stays entirely within the jsdom, never crossing over into the Node.js realm.
This only occurs when runScripts is set to non-default values of "dangerously" or "outside-only", as with the default value, there is no separate Object.prototype inside the jsdom.
This will likely not impact many programs, but could cause some changes in instanceof behavior, and so out of an abundance of caution, we're releasing it as a new major version.
24.1.3
Fixed calls to postMessage() that were done as a bare property (i.e., postMessage() instead of window.postMessage()).
24.1.2
Fixed an issue with the in operator applied to EventTarget methods, e.g. 'addEventListener' in window, which only appeared in Node.js ≥22.5.0. (legendecas)
Fixed the events fired by blur(): it no longer fires focus and focusin on the Document, and blur and focusout no longer have their relatedTarget property set. (asamuzaK)
24.1.1
Fixed selection methods to trigger the selectionchange event on the Document object. (piotr-oles)
24.1.0
Added the getSetCookie() method to the Headers class. (ushiboy)
Fixed the creation and parsing of elements with names from Object.prototype, like "constructor" or "toString".
Updated rweb-cssom, which can now parse additional CSS constructs.
Since reverting to nwsapi causes several functionality regressions, e.g. removing :has() support, we've decided to make this a major version.
Additionally:
Small fixes to edge-case behavior of the following properties: input.maxLength, input.minLength, input.size, progress.max, tableCell.colSpan, tableCell.rowSpan, tableCol.span, textArea.cols, textArea.maxLength, textArea.minLength, textArea.rows.
23.2.0
This release switches our CSS selector engine from nwsapi to @asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.
There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.
23.1.0
Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
Bumps the dev-dependencies group with 19 updates in the / directory:
6.0.37.1.06.2.16.6.02.11.62.11.85.2.35.3.32.5.63.1.70.26.02.16.03.6.33.7.121.1.025.0.110.4.1310.4.2011.0.012.0.26.7.37.1.24.2.05.1.05.5.05.6.32.7.22.9.17.0.28.1.11.57.11.80.413.2.016.0.25.94.05.95.04.11.15.1.0Updates
@braintree/sanitize-urlfrom 6.0.3 to 7.1.0Release notes
Sourced from
@braintree/sanitize-url's releases.Changelog
Sourced from
@braintree/sanitize-url's changelog.Commits
cdd33eb7.1.04d7ed87Update changelog for 7.1.0820d51cRevised implementation (#77)ec9925c7.0.483e5336chore: update changelog530c932Update to get-func-name v2.0.2 (#74)e95af7a7.0.3db96dd3chore: update changelog83128d6Merge pull request #76 from braintree/dependabot/npm_and_yarn/braces-3.0.3536a053Update CHANGELOG.mdUpdates
@fortawesome/fontawesome-freefrom 6.2.1 to 6.6.0Release notes
Sourced from
@fortawesome/fontawesome-free's releases.Commits
37eff7fRelease 6.6.0 (#20295)138f8c3Update 000_icon_request.yml05235abUpdating Icon Request Template (#20275)c0f460dRelease 6.5.2 (#20179)a1232e3Delete case-sensitive faTshirt duplicate (#20073)dcdc48aUpdate contributing guidelines (#20028)deeea78Release 6.5.1 (#20031)2885a3cMove files out of the free directory8302f1cRelease 6.5.0 (#20016)f0c2583Release 6.4.2 (#19842)Updates
@popperjs/corefrom 2.11.6 to 2.11.8Commits
9219508v2.11.85347b2fchore: [Popper] remove process.env (#2296)0654654v2.11.75029579fix: Use correct window to get the devicePixelRatio (#2229)2893e9afix: error with user-agent brand not being an array (#1968)Updates
bootstrapfrom 5.2.3 to 5.3.3Release notes
Sourced from bootstrap's releases.
... (truncated)
Commits
6e1f75fRelease v5.3.3 (#39524)3caef2bBuild(deps-dev): Bump terser from 5.27.1 to 5.27.2 (#39690)4abac9bBuild(deps-dev): Bump ip from 2.0.0 to 2.0.1 (#39691)c396a2aBuild(deps-dev): Bump sass from 1.70.0 to 1.71.0 (#39684)c9a8a40Build(deps-dev): Bump rollup from 4.9.6 to 4.12.0 (#39683)6aecb37Build(deps-dev): Bump eslint-plugin-html from 7.1.0 to 8.0.0 (#39672)4081168Build(deps-dev): Bump terser from 5.27.0 to 5.27.1 (#39682)4605d71Build(deps-dev): Bump postcss from 8.4.34 to 8.4.35 (#39673)08eeee3Build(deps-dev): Bump lockfile-lint from 4.12.1 to 4.13.1 (#39675)f92d635Build(deps-dev): Bump eslint-plugin-unicorn from 51.0.0 to 51.0.1 (#39676)Updates
dompurifyfrom 2.5.6 to 3.1.7Release notes
Sourced from dompurify's releases.
... (truncated)
Commits
69c8c12Merge pull request #999 from cure53/main15f54edchore: Regenerated source maps4f3b5cbMerge pull request #998 from cure53/main50aec03chore: Preparing 3.1.7 release4a9ec1ffix: Fixed an issue with comment detection and possible bypasses with specifi...50ea515Merge pull request #993 from cure53/dependabot/npm_and_yarn/body-parser-1.20.3b6188ecbuild(deps): bump body-parser from 1.20.1 to 1.20.31e2cb9bMerge pull request #990 from jeroen1602/angular_support745b521Added support for the Angular compiler.c1949fbMerge pull request #989 from cure53/dependabot/npm_and_yarn/webpack-5.94.0Updates
isomorphic-dompurifyfrom 0.26.0 to 2.16.0Release notes
Sourced from isomorphic-dompurify's releases.
... (truncated)
Commits
1a404c4Upgraded deps. Increased project version.ef0c702Merge pull request #288 from kkomelin/dependabot/npm_and_yarn/jsdom-25.0.1fc73358Merge pull request #290 from kkomelin/dependabot/npm_and_yarn/dompurify-3.1.7ad1241fBump jsdom from 25.0.0 to 25.0.1b84d959Merge pull request #289 from kkomelin/dependabot/npm_and_yarn/terser-5.34.02970cfaBump dompurify from 3.1.6 to 3.1.7894fcd7Bump terser from 5.33.0 to 5.34.009d04efMerge pull request #287 from kkomelin/dependabot/npm_and_yarn/terser-5.33.0b364ed3Bump terser from 5.32.0 to 5.33.0c9a1559Merge pull request #286 from kkomelin/dependabot/npm_and_yarn/vitest-2.1.1Updates
jqueryfrom 3.6.3 to 3.7.1Release notes
Sourced from jquery's releases.
Commits
f79d5f13.7.1399b201Release: revert change that broke releasef85d521Release: update authors763ade6Build: Generate the slim build ongrunt& runcompare_sizeon ita288838CSS: Make the reliableTrDimensions support test work with Bootstrap CSS (3.x ...87467a6Selector: Only attach the unload handler in IE & Edge Legacy3c18c1fBuild: Make sure*.cjs&*.mjsfiles use UNIX line endings as well72ae577Build: switch preferred email for timmywila370d7dBuild: Build: Bump actions/checkout from 3.5.2 to 3.5.34a29888Docs: Fix typos found by codespellUpdates
jsdomfrom 21.1.0 to 25.0.1Release notes
Sourced from jsdom's releases.
... (truncated)
Changelog
Sourced from jsdom's changelog.
... (truncated)
Commits
04541b3Version 25.0.196bd111Update dependencies and dev dependenciesd08440cUpgrade tough-cookie to v5.0.0c53efc8Version 25.0.0784c8a5Set EventTarget.prototype to the jsdom's Object.prototype0314f1eVersion 24.1.346d5d5cFix postMessage referenced as a bare propertya241df6Version 24.1.2c3a9aedRemove upstreamed WPTs07fab37Refactor Window object setup codeUpdates
autoprefixerfrom 10.4.13 to 10.4.20Release notes
Sourced from autoprefixer's releases.
Changelog
Sourced from autoprefixer's changelog.
Commits
dae6eb4Release 10.4.20 versionee43652Fix fit-content for Firefoxcf80824Update dependencies49d5ec6Move to pnpm 98060e33Release 10.4.19 versionfe7bae4Remove end→flex-end warning5f6f362Update dependencies13a86dfMove to flat ESLint configb3e0579Update dependencies90dc18dRelease 10.4.18 versionUpdates
copy-webpack-pluginfrom 11.0.0 to 12.0.2Release notes
Sourced from copy-webpack-plugin's releases.
Changelog
Sourced from copy-webpack-plugin's changelog.
Commits
64d67ecchore(release): 12.0.2a7379a9fix: improve perf (#764)7ee03c9build: set targets to node 18 in babel.config.js (#762)b4f5ec0chore(release): 12.0.155036abfix: improve perf (#760)f2a5db3chore(release): 12.0.0a5b7d06chore!: minimum supported Node.js version is18.12.0(#759)74a3666chore: update dependencies to latest version (#757)9d2ce6echore: update github action/setup-node (#754)40a5203chore: update dependencies to the latest version (#753)Updates
css-loaderfrom 6.7.3 to 7.1.2Release notes
Sourced from css-loader's releases.
... (truncated)
Changelog
Sourced from css-loader's changelog.
... (truncated)
Commits
d5ba44achore(release): 7.1.276757effix: keep order of@imports with thewebpackIgnorecomment (#1600)4b41689ci: use node v22 (#1596)2068222chore: update dependencies to latest version (#1595)e006f66refactor: useenvironmentto gettemplateLiteralvalue (#1591)5c717c9chore(release): 7.1.1d6c31a1fix: automatically rename classdefaultto_defaultwhen named export is ...b162e25chore(release): 7.1.015f793ddocs: update logic (#1587)9c165a4docs: update migration guide (#1586)Updates
html-loaderfrom 4.2.0 to 5.1.0Release notes
Sourced from html-loader's releases.
Changelog
Sourced from html-loader's changelog.