Skip to content

Update bootstrap to 3.4.1 #6923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kevin-brown merged 1 commit into from
Nov 11, 2019
Merged

Update bootstrap to 3.4.1 #6923

kevin-brown merged 1 commit into from
Nov 11, 2019

Conversation

@Maxyme
Copy link
Contributor

@Maxyme Maxyme commented Sep 10, 2019
edited
Loading

Update bootstrap to 3.4.1 to fix XSS vulnerability, CVE-2019-8331:
https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

Issue reference: #6871

@lovelydinosaur
Copy link
Contributor

lovelydinosaur commented Oct 1, 2019

Thanks!

@encode/django-rest-framework - we ought to validate the SHA of the .min.js against the hosted file whenever we're updating a dependency like this.

I'm happy to make time for this or to have someone else take it on - what are our thoughts (if any) on timings for the next release?

@jeremystretch jeremystretch mentioned this pull request Oct 9, 2019
Closed
@shrew4u2do
Copy link

shrew4u2do commented Oct 30, 2019

+1 for merging this one in

@jpadilla
Copy link
Contributor

jpadilla commented Oct 30, 2019

Regarding #6923 (comment), a possible approach to process here would be to have a bash script with versions/urls pointing to dependency sources. In order to update one of these dependencies, we would update the version/url and run script to download. Same script could be run in CI to compare SHAs. I could help with introducing something like this.

--

$ curl -s https://raw.githubusercontent.com/encode/django-rest-framework/d6c24df9679cad1402243e90e565fea468b5a121/rest_framework/static/rest_framework/js/bootstrap.min.js | shasum -a 256
9ee2fcff6709e4d0d24b09ca0fc56aade12b4961ed9c43fd13b03248bfb57afe  -

$ curl -s https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js | shasum -a 256
9ee2fcff6709e4d0d24b09ca0fc56aade12b4961ed9c43fd13b03248bfb57afe  -

@kevin-brown kevin-brown merged commit 8988afa into encode:master Nov 11, 2019
@Maxyme Maxyme deleted the update_bootstrap_3_4_1 branch November 25, 2019 20:50
rubendv pushed a commit to Awingu/django-rest-framework that referenced this pull request Aug 11, 2020
@Maxyme @rubendv
Update bootstrap to 3.4.1 (encode#6923)
9ebd3fa
pchiquet pushed a commit to pchiquet/django-rest-framework that referenced this pull request Nov 17, 2020
@Maxyme
Update bootstrap to 3.4.1 (encode#6923)
44a42b9
sigvef pushed a commit to sigvef/django-rest-framework that referenced this pull request Dec 3, 2022
@Maxyme @sigvef
Update bootstrap to 3.4.1 (encode#6923)
5dde949
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@auvipy auvipy auvipy approved these changes

+1 more reviewer

@jpadilla jpadilla jpadilla approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.11 Release

Development

Successfully merging this pull request may close these issues.

6 participants

@Maxyme @lovelydinosaur @shrew4u2do @jpadilla @auvipy @kevin-brown