YiiRocks
commented
4 years ago This is not the package blocking your update.
"npm-asset/bootstrap": "^4.3" // >=4.3.0 <5.0.0
Bootstrap 4.5.0 can be installed just fine already.
Closed vAlmaraz closed 4 years ago
YiiRocks
commented
4 years ago This is not the package blocking your update.
"npm-asset/bootstrap": "^4.3" // >=4.3.0 <5.0.0
Bootstrap 4.5.0 can be installed just fine already.
YiiRocks
commented
4 years ago composer show | grep 'bootstrap\|jquery'
bower-asset/jquery 3.5.1
bower-asset/jquery-ui 1.12.1
npm-asset/bootstrap 4.5.0
yiisoft/yii2-bootstrap4 2.0.8 The Twitter Bootstrap extension for the Yii framework
vAlmaraz
commented
4 years ago Thank you.
Anyway, I suggest you updating the min required version, in order to prevent users install an unsecure jquery library.
Kind regards
rob006
commented
4 years ago Anyway, I suggest you updating the min required version, in order to prevent users install an unsecure jquery library.
This package does not explicitly require jQuery. Using more restrictive constraints will only prevent updating this library (if someone has locked jQuery to old version, Composer will use old version of yiisoft/yii2-bootstrap4 on dependency resolving).
What steps will reproduce the problem?
Check composer.json. It uses Bootstrap 4.3, which loads jquery 3.3.1:
JQuery 3.3.1 The fingerprinted component version is outdated and vulnerable to publicly known vulnerabilities. Urgently update to the most recent version 3.5.1. CVSSv3.0 Score Vulnerability CVE-ID Vulnerability Type 5.5 Medium CVE-2020-11022 CWE-79 — Cross-site scripting 4.8 Medium CVE-2019-11358 CWE-400 — Prototype pollution 4.2 Medium CVE-2020-11023 CWE-79 — Cross-site scripting
What's expected?
Update to Bootstrap 4.5 so it loads jquery 3.5.1
What do you get instead?
Jquery 3.3.1