Fixed a breaking change introduced with color modes where it was required to manually import variables-dark.scss when building Bootstrap with Sass. Now, _variables.scss will automatically import _variables-dark.scss. If you were already importing _variables-dark.scss manually, you should keep doing it as it won't break anything and will be the way to go in v6.
Fixed a regression in the selector engine that wasn't able to handle multiple IDs anymore.
Color modes
Badges now use the .text-bg-* text utilities to be certain that the text is always readable (especially when the customized colors are different in light and dark modes).
Fixed our color-modes.js script to handle the case where the OS is set to light mode and the auto color mode is used on the website. If you copied the script from our docs, you should apply this change to your own script.
Fixed color schemes description in the color modes documentation to show that color-scheme() only accept light and dark values as parameters.
Miscellaneous
Allowed <dl>, <dt> and <dd> in the sanitizer.
Dropped evenly items distribution for modal and offcanvas headers.
Fixed the accordion CSS selectors to avoid inheritance issues when nesting accordions.
Fixed the focus box-shadow for the validation stated form controls.
Fixed the focus ring on focused checked buttons.
Fixed the product example mobile navbar toggler.
Changed the RTL processing of carousel control icons.
🎨 CSS
#37508: Use child combinators to avoid inheriting parent accordion's flush styles
#38719: Fix focus box-shadow for validation stated form-controls
Added better configurability for comment scrubbing default behavior
Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu
Added better handling and readability of the nodeType property, thanks @ssi02014
Fixed some smaller issues in README and other documentation
DOMPurify 3.1.2
Addressed and fixed a mXSS variation found by @kevin-mizu
Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
Updated tests for older Safari and Chrome versions
DOMPurify 3.1.1
Fixed an mXSS sanitiser bypass reported by @icesfont
Added new code to track element nesting depth
Added new code to enforce a maximum nesting depth of 255
Added coverage tests and necessary clobbering protections
Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.
DOMPurify 3.1.0
Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
Updated README to warn about happy-dom not being safe for use with DOMPurify yet
Updated the LICENSE file to show the accurate year number
Updated several build and test dependencies
DOMPurify 3.0.11
Fixed another conditional bypass caused by Processing Instructions, thanks @Ry0taK
Fixed the regex for HTML Custom Element detection, thanks @AlekseySolovey3T
DOMPurify 3.0.10
Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @Slonser
Updated dependencies, notably tough-cookie, which no longer prints a deprecation warning.
Version 25.0.0
This major release changes the prototype of a jsdom's EventTarget.prototype to point to the Object.prototype inside the jsdom, instead of pointing to the Node.js Object.prototype. Thus, the prototype chain of Window stays entirely within the jsdom, never crossing over into the Node.js realm.
This only occurs when runScripts is set to non-default values of "dangerously" or "outside-only", as with the default value, there is no separate Object.prototype inside the jsdom.
This will likely not impact many programs, but could cause some changes in instanceof behavior, and so out of an abundance of caution, we're releasing it as a new major version.
Version 24.1.3
Fixed calls to postMessage() that were done as a bare property (i.e., postMessage() instead of window.postMessage()).
Version 24.1.2
Fixed an issue with the in operator applied to EventTarget methods, e.g. 'addEventListener' in window, which only appeared in Node.js ≥22.5.0. (legendecas)
Fixed the events fired by blur(): it no longer fires focus and focusin on the Document, and blur and focusout no longer have their relatedTarget property set. (asamuzaK)
Version 24.1.1
Fixed selection methods to trigger the selectionchange event on the Document object. (piotr-oles)
Version 24.1.0
Added the getSetCookie() method to the Headers class. (ushiboy)
Fixed the creation and parsing of elements with names from Object.prototype, like "constructor" or "toString".
Updated rweb-cssom, which can now parse additional CSS constructs.
Since reverting to nwsapi causes several functionality regressions, e.g. removing :has() support, we've decided to make this a major version.
Additionally:
Small fixes to edge-case behavior of the following properties: input.maxLength, input.minLength, input.size, progress.max, tableCell.colSpan, tableCell.rowSpan, tableCol.span, textArea.cols, textArea.maxLength, textArea.minLength, textArea.rows.
Version 23.2.0
This release switches our CSS selector engine from nwsapi to @asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.
There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.
Version 23.1.0
Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
Added the string-valued ARIA attribute-reflecting properties to Element.
Fixed history.pushState() and history.replaceState() to follow the latest specification, notably with regards to how they handle empty string inputs and what new URLs are possible.
Fixed the input.valueAsANumber setter to handle NaN correctly. (alexandertrefz)
Updated various dependencies, including cssstyle which contains several bug fixes.
Version 23.0.1
Fixed the incorrect canvas peer dependency introduced in v23.0.0.
Updated dependencies, notably tough-cookie, which no longer prints a deprecation warning.
25.0.0
This major release changes the prototype of a jsdom's EventTarget.prototype to point to the Object.prototype inside the jsdom, instead of pointing to the Node.js Object.prototype. Thus, the prototype chain of Window stays entirely within the jsdom, never crossing over into the Node.js realm.
This only occurs when runScripts is set to non-default values of "dangerously" or "outside-only", as with the default value, there is no separate Object.prototype inside the jsdom.
This will likely not impact many programs, but could cause some changes in instanceof behavior, and so out of an abundance of caution, we're releasing it as a new major version.
24.1.3
Fixed calls to postMessage() that were done as a bare property (i.e., postMessage() instead of window.postMessage()).
24.1.2
Fixed an issue with the in operator applied to EventTarget methods, e.g. 'addEventListener' in window, which only appeared in Node.js ≥22.5.0. (legendecas)
Fixed the events fired by blur(): it no longer fires focus and focusin on the Document, and blur and focusout no longer have their relatedTarget property set. (asamuzaK)
24.1.1
Fixed selection methods to trigger the selectionchange event on the Document object. (piotr-oles)
24.1.0
Added the getSetCookie() method to the Headers class. (ushiboy)
Fixed the creation and parsing of elements with names from Object.prototype, like "constructor" or "toString".
Updated rweb-cssom, which can now parse additional CSS constructs.
Since reverting to nwsapi causes several functionality regressions, e.g. removing :has() support, we've decided to make this a major version.
Additionally:
Small fixes to edge-case behavior of the following properties: input.maxLength, input.minLength, input.size, progress.max, tableCell.colSpan, tableCell.rowSpan, tableCol.span, textArea.cols, textArea.maxLength, textArea.minLength, textArea.rows.
23.2.0
This release switches our CSS selector engine from nwsapi to @asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.
There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.
23.1.0
Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
Bumps the dev-dependencies group with 19 updates in the / directory:
6.0.3
7.1.0
6.2.1
6.6.0
2.11.6
2.11.8
5.2.3
5.3.3
2.4.3
3.1.6
0.26.0
2.15.0
3.6.3
3.7.1
21.1.0
25.0.1
10.4.13
10.4.20
11.0.0
12.0.2
6.7.3
7.1.2
4.2.0
5.1.0
5.5.0
5.6.0
2.7.2
2.9.1
7.0.2
8.1.1
1.57.1
1.79.3
13.2.0
16.0.2
5.76.0
5.94.0
4.11.1
5.1.0
Updates
@braintree/sanitize-url
from 6.0.3 to 7.1.0Release notes
Sourced from
@braintree/sanitize-url
's releases.Changelog
Sourced from
@braintree/sanitize-url
's changelog.Commits
cdd33eb
7.1.04d7ed87
Update changelog for 7.1.0820d51c
Revised implementation (#77)ec9925c
7.0.483e5336
chore: update changelog530c932
Update to get-func-name v2.0.2 (#74)e95af7a
7.0.3db96dd3
chore: update changelog83128d6
Merge pull request #76 from braintree/dependabot/npm_and_yarn/braces-3.0.3536a053
Update CHANGELOG.mdUpdates
@fortawesome/fontawesome-free
from 6.2.1 to 6.6.0Release notes
Sourced from
@fortawesome/fontawesome-free
's releases.Commits
37eff7f
Release 6.6.0 (#20295)138f8c3
Update 000_icon_request.yml05235ab
Updating Icon Request Template (#20275)c0f460d
Release 6.5.2 (#20179)a1232e3
Delete case-sensitive faTshirt duplicate (#20073)dcdc48a
Update contributing guidelines (#20028)deeea78
Release 6.5.1 (#20031)2885a3c
Move files out of the free directory8302f1c
Release 6.5.0 (#20016)f0c2583
Release 6.4.2 (#19842)Updates
@popperjs/core
from 2.11.6 to 2.11.8Commits
9219508
v2.11.85347b2f
chore: [Popper] remove process.env (#2296)0654654
v2.11.75029579
fix: Use correct window to get the devicePixelRatio (#2229)2893e9a
fix: error with user-agent brand not being an array (#1968)Updates
bootstrap
from 5.2.3 to 5.3.3Release notes
Sourced from bootstrap's releases.
... (truncated)
Commits
6e1f75f
Release v5.3.3 (#39524)3caef2b
Build(deps-dev): Bump terser from 5.27.1 to 5.27.2 (#39690)4abac9b
Build(deps-dev): Bump ip from 2.0.0 to 2.0.1 (#39691)c396a2a
Build(deps-dev): Bump sass from 1.70.0 to 1.71.0 (#39684)c9a8a40
Build(deps-dev): Bump rollup from 4.9.6 to 4.12.0 (#39683)6aecb37
Build(deps-dev): Bump eslint-plugin-html from 7.1.0 to 8.0.0 (#39672)4081168
Build(deps-dev): Bump terser from 5.27.0 to 5.27.1 (#39682)4605d71
Build(deps-dev): Bump postcss from 8.4.34 to 8.4.35 (#39673)08eeee3
Build(deps-dev): Bump lockfile-lint from 4.12.1 to 4.13.1 (#39675)f92d635
Build(deps-dev): Bump eslint-plugin-unicorn from 51.0.0 to 51.0.1 (#39676)Updates
dompurify
from 2.4.3 to 3.1.6Release notes
Sourced from dompurify's releases.
... (truncated)
Commits
4083a90
Merge pull request #978 from cure53/main90a10a1
fix: Fixed a typo on the README65df042
chore: Preparing 3.1.6 release6e03334
fix: Made sure that remove() is not called directly from node00fc06c
fix: Fixed a DOM clobbering issue leading to an error being thrownf8c2ef5
Merge pull request #977 from cure53/dependabot/npm_and_yarn/multi-99ca4f73d8e5112ec
build(deps): bump ws and socket.io-adapter9978cec
docs: Added better security warning about SAFE_FOR_XML to READMEfa542df
fix: Changed the order for attribute checks slightly for safer hooksb8b552c
Merge pull request #975 from cure53/dependabot/npm_and_yarn/multi-2d3aef8690Updates
isomorphic-dompurify
from 0.26.0 to 2.15.0Release notes
Sourced from isomorphic-dompurify's releases.
... (truncated)
Commits
218feb1
Preparing for the release.114c8d5
Merged changes from remote.6ab7256
Switched from Jest to Vitest for testing.6249bda
Merge pull request #281 from kkomelin/dependabot/npm_and_yarn/jsdom-25.0.079ae327
Bump jsdom from 24.1.1 to 25.0.04e425cb
Merge pull request #280 from kkomelin/dependabot/npm_and_yarn/terser-5.31.60eaad9f
Bump terser from 5.31.4 to 5.31.68002723
Merge pull request #278 from kkomelin/dependabot/npm_and_yarn/terser-5.31.4b13d627
Bump terser from 5.31.3 to 5.31.45d002d2
Updated dependencies.Updates
jquery
from 3.6.3 to 3.7.1Release notes
Sourced from jquery's releases.
Commits
f79d5f1
3.7.1399b201
Release: revert change that broke releasef85d521
Release: update authors763ade6
Build: Generate the slim build ongrunt
& runcompare_size
on ita288838
CSS: Make the reliableTrDimensions support test work with Bootstrap CSS (3.x ...87467a6
Selector: Only attach the unload handler in IE & Edge Legacy3c18c1f
Build: Make sure*.cjs
&*.mjs
files use UNIX line endings as well72ae577
Build: switch preferred email for timmywila370d7d
Build: Build: Bump actions/checkout from 3.5.2 to 3.5.34a29888
Docs: Fix typos found by codespellUpdates
jsdom
from 21.1.0 to 25.0.1Release notes
Sourced from jsdom's releases.
... (truncated)
Changelog
Sourced from jsdom's changelog.
... (truncated)
Commits
04541b3
Version 25.0.196bd111
Update dependencies and dev dependenciesd08440c
Upgrade tough-cookie to v5.0.0c53efc8
Version 25.0.0784c8a5
Set EventTarget.prototype to the jsdom's Object.prototype0314f1e
Version 24.1.346d5d5c
Fix postMessage referenced as a bare propertya241df6
Version 24.1.2c3a9aed
Remove upstreamed WPTs07fab37
Refactor Window object setup codeUpdates
autoprefixer
from 10.4.13 to 10.4.20Release notes
Sourced from autoprefixer's releases.
Changelog
Sourced from autoprefixer's changelog.
Commits
dae6eb4
Release 10.4.20 versionee43652
Fix fit-content for Firefoxcf80824
Update dependencies49d5ec6
Move to pnpm 98060e33
Release 10.4.19 versionfe7bae4
Remove end→flex-end warning5f6f362
Update dependencies13a86df
Move to flat ESLint configb3e0579
Update dependencies90dc18d
Release 10.4.18 versionUpdates
copy-webpack-plugin
from 11.0.0 to 12.0.2Release notes
Sourced from copy-webpack-plugin's releases.
Changelog
Sourced from copy-webpack-plugin's changelog.
Commits
64d67ec
chore(release): 12.0.2a7379a9
fix: improve perf (#764)7ee03c9
build: set targets to node 18 in babel.config.js (#762)b4f5ec0
chore(release): 12.0.155036ab
fix: improve perf (#760)f2a5db3
chore(release): 12.0.0a5b7d06
chore!: minimum supported Node.js version is18.12.0
(#759)74a3666
chore: update dependencies to latest version (#757)9d2ce6e
chore: update github action/setup-node (#754)40a5203
chore: update dependencies to the latest version (#753)Updates
css-loader
from 6.7.3 to 7.1.2Release notes
Sourced from css-loader's releases.
... (truncated)
Changelog
Sourced from css-loader's changelog.
... (truncated)
Commits
d5ba44a
chore(release): 7.1.276757ef
fix: keep order of@import
s with thewebpackIgnore
comment (#1600)4b41689
ci: use node v22 (#1596)2068222
chore: update dependencies to latest version (#1595)e006f66
refactor: useenvironment
to gettemplateLiteral
value (#1591)5c717c9
chore(release): 7.1.1d6c31a1
fix: automatically rename classdefault
to_default
when named export is ...b162e25
chore(release): 7.1.015f793d
docs: update logic (#1587)9c165a4
docs: update migration guide (#1586)Updates
html-loader
from 4.2.0 to 5.1.0Release notes
Sourced from html-loader's releases.
Changelog
Sourced from html-loader's changelog.
Commits
5c7b5cd
chore(release): 5.1.0Looks like these dependencies are updatable in another way, so this is no longer needed.