Bootstrap

The Bootstrap Blog

News and announcements for all things Bootstrap, including new releases and Bootstrap Themes.

Bootstrap 3.4.1 and 4.3.1

Today we’re shipping Bootstrap v4.3.1 and v3.4.1 to patch an XSS vulnerability, CVE-2019-8331. Also included in v4.3.1 is a small fix to some RFS (responsive font sizes) mixins that were added in v4.3.0.

Earlier this week a developer reported an XSS issue similar to the data-target vulnerability that was fixed in v4.1.2 and v3.4.0: the data-template attribute for our tooltip and popover plugins lacked proper XSS sanitization of the HTML that can be passed into the attribute’s value.

To resolve the issue, we’ve implemented a new JavaScript sanitizer to only allow whitelisted HTML elements in data attribute. You may modify our sanitization implementation to customize the HTML element whitelist, totally disable the sanitization, or pass your own sanitize function (useful if you use your own library). However, for added protection, there is no way to modify the sanitization via data attributes—you must modify these plugin options via the JavaScript API.

Those who have modified the default templates, please read the new v4.3 sanitizer docs or the new v3.4 sanitizer docs.

In light of this vulnerability, we’re also auditing our security reporting workflows to ensure they’re up to date. This will include steps like adding a SECURITY.md file to our repository and ensuring our private channels and processes are up to date and documented with the team.

Thank you to poiu for reporting the vulnerability to the Bootstrap Drupal project and Mark Carver from the Bootstrap Drupal project for responsibly disclosing the issue to us. Also a massive thank you to @Johann-S, @Xhmikosr, and @bardiharborow on our team for the fast turnaround on today’s releases.

<3,
@mdo & team

Bootstrap 4.3.0

Bootstrap v4.3 has landed with over 120 combined closed issues and merged pull requests. This release brings improvements to our utilities, some prep work for moving on to v5’s development, and the standard bug fixes and documentation updates.

During our last release, we shared a small preview of where we’re taking the project next. That’s getting clearer in the coming weeks as our attention turns towards embracing Hugo for ultra fast docs development, removing jQuery in favor of regular JavaScript, and addressing our growing code base.

Keep reading for v4.3 highlights, and see you soon with more details on v5!

Highlights

We’ve added some new utilities and deprecated some unused code. Here are the key changes in v4.3, broken down by new, improved, fixed, and deprecated.

  • New: Added .stretched-link utility to make any anchor the size of it’s nearest position: relative parent, perfect for entirely clickable cards!
  • New: Added .text-break utility for applying word-break: break-word
  • New: Added .rounded-sm and .rounded-lg for small and large border-radius.
  • New: Added .modal-dialog-scrollable modifier class for scrolling content within a modal.
  • New: Added responsive .list-group-horizontal modifier classes for displaying list groups as a horizontal row.
  • Improved: Reduced our compiled CSS by using null for variables that by default inherit their values from other elements (e.g., $headings-color was inherit and is now null until you modifier it in your custom CSS).
  • Improved: Badge focus styles now match their background-color like our buttons.
  • Fixed: Silenced bad selectors in our JS plugins for the href HTML attribute to avoid JavaScript errors. Please try to use valid selectors or the data-target HTML attribute/target option where available.
  • Fixed: Reverted v4.2.1’s change to the breakpoint and grid container Sass maps that blocked folks from upgrading when modifying those default variables.
  • Fixed: Restored white-space: nowrap to .dropdown-toggle (before v4.2.1 it was on all .btns) so carets don’t wrap to new lines.
  • Deprecated: img-retina, invisible, float, and size mixins are now deprecated and will be removed in v5.

Checkout the full v4.3.0 ship list and GitHub project for the full details.

Head to to the v4.3.x docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.

Introducing responsive font sizes

Responsive font-sizes

Our biggest new addition to Bootstrap in v4.3 is responsive font sizes, a new project in the Bootstrap GitHub org to automate calculate an appropriate font-size based on the dimensions of a visitor’s device or browser viewport. Here’s how it works:

  • All font-size properties have been switched to the @include font-size() mixin. Our Stylelint configuration now prevents the usage of font-size property.

  • Disabled by default, you can opt into this new behavior by toggling the $enable-responsive-font-sizes boolean variable.

  • font-sizes are entirely configurable via Sass. Be sure to read the docs for how to modify the scales, variables, and more.

While responsive font-sizes are disabled by default, we’ve enabled them in the custom CSS that powers our docs starting with v4.3. Please share feedback with us via GitHub issues or on Twitter. We’ve added some light guidance to our Typography docs to explain the feature. You can also learn more by reading the rfs project documentation.

Open Collective

Last December we launched our Open Collective page with our v3.4 release to help support the maintainers contributing to Bootstrap. The team has been very excited about this as a way to be transparent about maintainer costs (both time and money), as well as recognition of efforts.

Branches, Hugo, and jQuery

Right after shipping v4.3, we’ll be tackling a few key changes on our road to active v5 development. These are larger changes to how we maintain and develop Bootstrap and are considered foundational for v5.

  • Improving our branches for development. master will become our new v3-dev branch. v4-dev will stay as-is, but we’ll cut a new master branch from there to develop v5.

  • We’re moving to Hugo! Jekyll has been great, but it’s starting to slow us down in local development. We’ll be making changes to our dependencies to support this move, and there’s already a pull request in progress and near completion for the change. Follow along to see what’s changing.

  • We’re dropping jQuery for regular JavaScript. The cat is out of the bag—we’re dropping our largest client-side dependency for regular JavaScript. Similar to the Hugo move, we’ve been working on this for a long time and have a pull request in progress and near completion.

We’ll have even more to share soon around v5’s plans after we tackle these bigger items. In the meantime, keep the feedback coming on GitHub and Twitter!

<3,
@mdo & team

Bootstrap 4.2.1

Look out world, we’re shipping Bootstrap v4.2.1 with a slew of new features, bug fixes, and docs updates. On the new features side, we have spinners, toasts, switches, and (finally!) touch support in the carousel. That’s just the tip of the iceberg though.

Heads up! v4.2.0 was incorrectly published to npm, so we’ve had to immediately turnaround a v4.2.1 release. npm i bootstrap@latest should now return 4.2.1. Apologies for the inconvenience!

We’ve crammed months of work into v4.2.1 with over 400 commits since our last v4.1.3 release. As mentioned in our v3.4.0 release last week, we’re working to decouple our releases from my direct involvement to improve the shipping cadence. Expect more improvements there in 2019.

Keep reading for highlights and some insight into how we’re getting to v4.3 quickly, and then into v5 (woo!).

What’s new

Here are the highlights of what’s new and updated in v4.2.1.

Bootstrap toasts

  • New: Added a new spinner loading component.
  • New: Added new toast component for displaying notifications.
  • New: Added a new iOS style switch (a modifier class to our custom checkboxes).
  • New: Added touch support in our carousel component.
  • New: Added .font-weight-lighter and .font-weight-bolder utilities.
  • New: Added .text-decoration-none utility class.
  • New: Added .modal-xl modifier class for our modals.
  • New: Added new negative margin utility classes (e.g., .mb-n3). These rad new classes not only allow you more control over your general spacing needs, but also allow you to create responsive grid gutters at each breakpoint.
  • New: Validated form fields now have feedback icons on :invalid and :valid fields. Disable them with the $enable-validation-icons boolean Sass variable (defaults to true).
  • New: Added a new versions page to our docs.
  • New: Tooltips/Popovers work with Shadow DOM.
  • Updated: Redesigned the custom checkboxes and radios for more obvious states.
  • Updated: bootstrap-grid.css now includes our margin and padding utilities for full control of our grid system.
  • Updated: Changed auto columns (e.g., .col-auto) from max-width: none to max-width: 100% to prevent content from causing a column to overflow the parent.
  • Updated: Improved rendering of custom selects, ranges, file input, and more.

Checkout the full v4.2.0 ship list and GitHub project for the full details. Up next is v4.3 with some bugfixes, a few new modifier classes and variables, and some new utilities.

Head to the v4.2 docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.

What’s next

We have v4.3 already planned, so that’s our immediate focus. However, while we’re developing that in the v4-dev branch, we’ll be getting our plans in order for a v5 release.

Bootstrap 5 will not feature drastic changes to the codebase. While I tweeted about the earnestness to move to PostCSS years ago, we’ll still be on Sass for v5. Instead, we’ll focus our efforts on removing cruft, improving existing components, and dropping old browsers and our jQuery dependency. There are also some updates to our v4.x components we cannot make without causing breaking changes, so v5 feels like it’s coming at the right time for us.

Stay tuned for a preview of the plans for v5 in the new year. We’ll share via an issue, ask for feedback, and then settle in to development mode.

Happy holidays, and happy new year to everyone! Thanks for continuing to make Bootstrap an amazing project and community.

<3,
@mdo & team

Bootstrap 3.4.0

That’s not a typo—today we’re shipping Bootstrap 3.4.0, a long overdue update to address some quality of life issues, XSS fixes, and build tooling updates to make it easier for us, and you, to develop.

While we’d planned for ages to do a fresh v3.x update, we lost steam as energy was focused on all the work in v4. Early this year, one issue in particular gained a ton of momentum from the community and the core team decided to do a huge push to pull together a solid release. I regret the time it took to pull this release together, especially given the security fixes, but with the improvements under the hood, v3 has never been easier to develop and maintain. Thanks for your continued support along the way!

Keep reading for what’s changed and a look ahead at what’s coming in v4.2.0.

What’s new

While we haven’t publicly worked on v3.x in years, we’ve heard from all of you during that time that we needed to do a new release to address

  • New: Added a .row-no-gutters class.
  • New: Added docs searching via Algolia.
  • Fixed: Resolved an XSS issue in Alert, Carousel, Collapse, Dropdown, Modal, and Tab components. See https://snyk.io/vuln/npm:bootstrap:20160627 for details.
  • Fixed: Added padding to .navbar-fixed-* on modal open
  • Fixed: Removed the double border on <abbr> elements.
  • Removed Gist creation in web-based Customizer since anonymous gists were disabled long ago by GitHub.
  • Removed drag and drop support from Customizer since it didn’t work anymore.

Our documentation and tooling saw massive updates as well to make it easier to work on v3.x, for ourselves and for you.

  • Added a dropdown to the docs nav for newer and previous versions.
  • Update the docs to use a new baseurl, /docs/3.4/, to version the v3.x documentation like we do with v4.
  • Reorganized the v3 docs CSS to use Less.
  • Switched to BrowserStack for tests.
  • Updated links to always use https and fix broken URLs.
  • Replaced ZeroClipboard with clipboard.js

Head to the Bootstrap 3.4 docs to see the latest in action. Check out the v3.4.0 pull request for even more context on what’s changed.

Upgrading

Upgrade your Bootstrap 3 projects to v3.4.0 with npm i bootstrap@previous or npm i bootstrap@3.4.0. This release won’t be available via Bower to start given the package manager was deprecated and has largely been unused by us in v4 for well over a year. Stay tuned for CDN and Rubygem updates.

Open Collective

Also new with our v3.4 is the creation of an Open Collective page to help support the maintainers contributing to Bootstrap. The team has been very excited about this as a way to be transparent about maintainer costs (both time and money), as well as recognition of efforts.

v4.2 and beyond

We’ve been working on a huge v4.2 update for several months now. Our attention has largely been on advancing the project and simplifying it’s dependencies, namely by removing our jQuery dependency. That work has sparked a keen interest in a moderately scoped v5 release, so we’ve been taking our sweet time with v4.2 to sneak in as many new features as we can.

After we ship v4.2, we’ll plan for point releases to address any bugs and improvements as y’all start to use the new version. From there, we’ll start to share more plans on v5 to remove jQuery, drop support for older browsers, and clear up some cruft. This won’t be a sweeping rewrite, but rather an iterative improvement on v4. Stay tuned!

<3,
@mdo & team

Bootstrap 4.1.3

Hot on the heels of v4.1.2, we’re shipping another patch release to address an issue with our browserslist config, fix some CSS bugs, make JavaScript plugins UMD ready, and improve form control rendering. Up next will be v4.2, our second minor release where we add some new features.

But first, here are the highlights for v4.1.3. Pay attention to the change to .form-controls which adds a new fixed height.

  • Fixed: Moved the browserslist config from our package.json to a separate file to avoid unintended inherited browser settings across npm projects.
  • Fixed: Removed the :not(:root) selector from our svg Reboot styles, resolving an issue that caused all inline SVGs ignore vertical-align styles via single class due to higher specificity.
  • Fixed: Buttons in custom file inputs are once again clickable when focused.
  • Improved: Bootstrap’s plugins can now be imported separately in any contexts because they are now UMD ready.
  • Improved: .form-controls now have a fixed height to compensate for differences in computed height across different types. This also fixes some IE alignment issues.
  • Improved: Added Noto Color Emoji to our system font stack for better rendering in Linux OSes.

Checkout the full v4.1.3 ship list and GitHub project for the full details. Up next is v4.2, so stay tuned for some awesome new features like toasts, dismissible badges, negative margins (responsive grid gutters!), spinners, and more!

Head to the v4.1.x docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.

<3,
@mdo & team