Today we’re formally announcing our Long Term Support plan, a documented approach aimed at strengthening the stability and frequency of releases. As part of this initiative, each major version of Bootstrap will receive at least six months of support after it is retired, followed by six months of critical bug fixes and security updates.
Starting today, Bootstrap 3 will move to end of life, and will no longer receive critical security updates.
Bootstrap 4 will move to Long Term Support after we release v4.4 and will no longer receive new features from then on. It will continue to receive bug fixes, security updates, and documentation updates.
Bootstrap 5 is under active development. You can follow our progress on GitHub.
A special thanks to @XhmikosR for his tireless work in pushing us forward.
Today we’re shipping Bootstrap v4.3.1 and v3.4.1 to patch an XSS vulnerability, CVE-2019-8331. Also included in v4.3.1 is a small fix to some RFS (responsive font sizes) mixins that were added in v4.3.0.
Earlier this week a developer reported an XSS issue similar to the data-target vulnerability that was fixed in v4.1.2 and v3.4.0: the data-template attribute for our tooltip and popover plugins lacked proper XSS sanitization of the HTML that can be passed into the attribute’s value.
To resolve the issue, we’ve implemented a new JavaScript sanitizer to only allow whitelisted HTML elements in data attribute. You may modify our sanitization implementation to customize the HTML element whitelist, totally disable the sanitization, or pass your own sanitize function (useful if you use your own library). However, for added protection, there is no way to modify the sanitization via data attributes—you must modify these plugin options via the JavaScript API.
In light of this vulnerability, we’re also auditing our security reporting workflows to ensure they’re up to date. This will include steps like adding a SECURITY.md file to our repository and ensuring our private channels and processes are up to date and documented with the team.
Bootstrap v4.3 has landed with over 120 combined closed issues and merged pull requests. This release brings improvements to our utilities, some prep work for moving on to v5’s development, and the standard bug fixes and documentation updates.
During our last release, we shared a small preview of where we’re taking the project next. That’s getting clearer in the coming weeks as our attention turns towards embracing Hugo for ultra fast docs development, removing jQuery in favor of regular JavaScript, and addressing our growing code base.
Keep reading for v4.3 highlights, and see you soon with more details on v5!
Highlights
We’ve added some new utilities and deprecated some unused code. Here are the key changes in v4.3, broken down by new, improved, fixed, and deprecated.
New: Added .stretched-link utility to make any anchor the size of it’s nearest position: relative parent, perfect for entirely clickable cards!
New: Added .text-break utility for applying word-break: break-word
New: Added .rounded-sm and .rounded-lg for small and large border-radius.
New: Added .modal-dialog-scrollable modifier class for scrolling content within a modal.
New: Added responsive .list-group-horizontal modifier classes for displaying list groups as a horizontal row.
Improved: Reduced our compiled CSS by using null for variables that by default inherit their values from other elements (e.g., $headings-color was inherit and is now null until you modifier it in your custom CSS).
Improved: Badge focus styles now match their background-color like our buttons.
Fixed: Silenced bad selectors in our JS plugins for the href HTML attribute to avoid JavaScript errors. Please try to use valid selectors or the data-target HTML attribute/target option where available.
Fixed: Reverted v4.2.1’s change to the breakpoint and grid container Sass maps that blocked folks from upgrading when modifying those default variables.
Fixed: Restored white-space: nowrap to .dropdown-toggle (before v4.2.1 it was on all .btns) so carets don’t wrap to new lines.
Deprecated:img-retina, invisible, float, and size mixins are now deprecated and will be removed in v5.
Head to to the v4.3.x docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.
Introducing responsive font sizes
Our biggest new addition to Bootstrap in v4.3 is responsive font sizes, a new project in the Bootstrap GitHub org to automate calculate an appropriate font-size based on the dimensions of a visitor’s device or browser viewport. Here’s how it works:
All font-size properties have been switched to the @include font-size() mixin. Our Stylelint configuration now prevents the usage of font-size property.
Disabled by default, you can opt into this new behavior by toggling the $enable-responsive-font-sizes boolean variable.
font-sizes are entirely configurable via Sass. Be sure to read the docs for how to modify the scales, variables, and more.
While responsive font-sizes are disabled by default, we’ve enabled them in the custom CSS that powers our docs starting with v4.3. Please share feedback with us via GitHub issues or on Twitter. We’ve added some light guidance to our Typography docs to explain the feature. You can also learn more by reading the rfs project documentation.
Open Collective
Last December we launched our Open Collective page with our v3.4 release to help support the maintainers contributing to Bootstrap. The team has been very excited about this as a way to be transparent about maintainer costs (both time and money), as well as recognition of efforts.
Branches, Hugo, and jQuery
Right after shipping v4.3, we’ll be tackling a few key changes on our road to active v5 development. These are larger changes to how we maintain and develop Bootstrap and are considered foundational for v5.
Improving our branches for development.master will become our new v3-dev branch. v4-dev will stay as-is, but we’ll cut a new master branch from there to develop v5.
We’re moving to Hugo! Jekyll has been great, but it’s starting to slow us down in local development. We’ll be making changes to our dependencies to support this move, and there’s already a pull request in progress and near completion for the change. Follow along to see what’s changing.
We’re dropping jQuery for regular JavaScript. The cat is out of the bag—we’re dropping our largest client-side dependency for regular JavaScript. Similar to the Hugo move, we’ve been working on this for a long time and have a pull request in progress and near completion.
We’ll have even more to share soon around v5’s plans after we tackle these bigger items. In the meantime, keep the feedback coming on GitHub and Twitter!
Look out world, we’re shipping Bootstrap v4.2.1 with a slew of new features, bug fixes, and docs updates. On the new features side, we have spinners, toasts, switches, and (finally!) touch support in the carousel. That’s just the tip of the iceberg though.
Heads up! v4.2.0 was incorrectly published to npm, so we’ve had to immediately turnaround a v4.2.1 release. npm i bootstrap@latest should now return 4.2.1. Apologies for the inconvenience!
We’ve crammed months of work into v4.2.1 with over 400 commits since our last v4.1.3 release. As mentioned in our v3.4.0 release last week, we’re working to decouple our releases from my direct involvement to improve the shipping cadence. Expect more improvements there in 2019.
Keep reading for highlights and some insight into how we’re getting to v4.3 quickly, and then into v5 (woo!).
What’s new
Here are the highlights of what’s new and updated in v4.2.1.
New: Added new toast component for displaying notifications.
New: Added a new iOS style switch (a modifier class to our custom checkboxes).
New: Added touch support in our carousel component.
New: Added .font-weight-lighter and .font-weight-bolder utilities.
New: Added .text-decoration-none utility class.
New: Added .modal-xl modifier class for our modals.
New: Added new negative margin utility classes (e.g., .mb-n3). These rad new classes not only allow you more control over your general spacing needs, but also allow you to create responsive grid gutters at each breakpoint.
New: Validated form fields now have feedback icons on :invalid and :valid fields. Disable them with the $enable-validation-icons boolean Sass variable (defaults to true).
Updated: Redesigned the custom checkboxes and radios for more obvious states.
Updated:bootstrap-grid.css now includes our margin and padding utilities for full control of our grid system.
Updated: Changed auto columns (e.g., .col-auto) from max-width: none to max-width: 100% to prevent content from causing a column to overflow the parent.
Updated: Improved rendering of custom selects, ranges, file input, and more.
Checkout the full v4.2.0 ship list and GitHub project for the full details. Up next is v4.3 with some bugfixes, a few new modifier classes and variables, and some new utilities.
Head to the v4.2 docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.
What’s next
We have v4.3 already planned, so that’s our immediate focus. However, while we’re developing that in the v4-dev branch, we’ll be getting our plans in order for a v5 release.
Bootstrap 5 will not feature drastic changes to the codebase. While I tweeted about the earnestness to move to PostCSS years ago, we’ll still be on Sass for v5. Instead, we’ll focus our efforts on removing cruft, improving existing components, and dropping old browsers and our jQuery dependency. There are also some updates to our v4.x components we cannot make without causing breaking changes, so v5 feels like it’s coming at the right time for us.
Stay tuned for a preview of the plans for v5 in the new year. We’ll share via an issue, ask for feedback, and then settle in to development mode.
Happy holidays, and happy new year to everyone! Thanks for continuing to make Bootstrap an amazing project and community.
That’s not a typo—today we’re shipping Bootstrap 3.4.0, a long overdue update to address some quality of life issues, XSS fixes, and build tooling updates to make it easier for us, and you, to develop.
While we’d planned for ages to do a fresh v3.x update, we lost steam as energy was focused on all the work in v4. Early this year, one issue in particular gained a ton of momentum from the community and the core team decided to do a huge push to pull together a solid release. I regret the time it took to pull this release together, especially given the security fixes, but with the improvements under the hood, v3 has never been easier to develop and maintain. Thanks for your continued support along the way!
Keep reading for what’s changed and a look ahead at what’s coming in v4.2.0.
What’s new
While we haven’t publicly worked on v3.x in years, we’ve heard from all of you during that time that we needed to do a new release to address
Upgrade your Bootstrap 3 projects to v3.4.0 with npm i bootstrap@previous or npm i bootstrap@3.4.0. This release won’t be available via Bower to start given the package manager was deprecated and has largely been unused by us in v4 for well over a year. Stay tuned for CDN and Rubygem updates.
Open Collective
Also new with our v3.4 is the creation of an Open Collective page to help support the maintainers contributing to Bootstrap. The team has been very excited about this as a way to be transparent about maintainer costs (both time and money), as well as recognition of efforts.
v4.2 and beyond
We’ve been working on a huge v4.2 update for several months now. Our attention has largely been on advancing the project and simplifying it’s dependencies, namely by removing our jQuery dependency. That work has sparked a keen interest in a moderately scoped v5 release, so we’ve been taking our sweet time with v4.2 to sneak in as many new features as we can.
After we ship v4.2, we’ll plan for point releases to address any bugs and improvements as y’all start to use the new version. From there, we’ll start to share more plans on v5 to remove jQuery, drop support for older browsers, and clear up some cruft. This won’t be a sweeping rewrite, but rather an iterative improvement on v4. Stay tuned!
Hot on the heels of v4.1.2, we’re shipping another patch release to address an issue with our browserslist config, fix some CSS bugs, make JavaScript plugins UMD ready, and improve form control rendering. Up next will be v4.2, our second minor release where we add some new features.
But first, here are the highlights for v4.1.3. Pay attention to the change to .form-controls which adds a new fixed height.
Fixed: Moved the browserslist config from our package.json to a separate file to avoid unintended inherited browser settings across npm projects.
Fixed: Removed the :not(:root) selector from our svg Reboot styles, resolving an issue that caused all inline SVGs ignore vertical-align styles via single class due to higher specificity.
Fixed: Buttons in custom file inputs are once again clickable when focused.
Improved: Bootstrap’s plugins can now be imported separately in any contexts because they are now UMD ready.
Improved:.form-controls now have a fixed height to compensate for differences in computed height across different types. This also fixes some IE alignment issues.
Improved: Added Noto Color Emoji to our system font stack for better rendering in Linux OSes.
Checkout the full v4.1.3 ship list and GitHub project for the full details. Up next is v4.2, so stay tuned for some awesome new features like toasts, dismissible badges, negative margins (responsive grid gutters!), spinners, and more!
Head to the v4.1.x docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.
We’ve been busy these last couple months since launching v4.1.1, but we’re back with another bug fix and some sweeping changes to how we build and publish our docs after the issues stemming from our v4.1.x launches.
When we launched v4.1, we ran into unexpected issues with having to rearrange asset paths after deploying, resulting in broken image URLs, a busted service worker, and more. Since then, we’re ironed out most of the kinks and introduced a new docs directory structure inside the repo. Nothing should change for anyone using our docs, but those contributing to the project and developing locally may need to rebase their changes or update their branches accordingly.
Beyond the file structure changes, here are the highlights for v4.1.2:
Fixed an XSS vulnerability in tooltip, collapse, and scrollspy plugins
Improved how we query elements in our JavaScript plugins
Inline SVGs now have the same vertical alignment as images
Fixed issues with double transitions on carousels
Added Edge and IE10-11 fallbacks to our floating labels example
Various improvements to form controls, including disabled states on file inputs and unified focus styles for selects
Miscellaneous build tool improvements and documentation fixes
Checkout the full v4.1.2 ship list and GitHub project for the full details. Up next will either be v4.1.3 or v4.2 depending on how smoothly this release goes and how well we can keep up with reviewing and merging pull requests.
Head to the v4.1.x docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.
We’re a few weeks out from v4.1 and we have our first patch release of Bootstrap 4! It’s a straightforward set of bug fixes and build tool quality of life updates.
Here’s a quick rundown of some of the changes:
Added validation styles for file inputs
Improved printing of dark tables
Suppressed that text-hide deprecation notice by default
Fixed an issue where Collapse wasn’t working in Internet Explorer
Cleaned up some JS globals and improve coverage
Bumped dependencies, namely Jekyll
Fixed docs issue with incorrect name for our monospace font utility
Checkout the full v4.1.1 ship list and GitHub project for the full details. Up next will be v4.1.2, another patch release to address the next set of CSS and JS bugs you’ve help share with us since v4 launched.
Two months ago we shipped the first major release of Bootstrap 4 and we’re thrilled y’all love the latest release and our brand new themes so much. Today we’re shipping our first minor release, v4.1! This release comes later than expected and some of the fixes we intended, but there’s still a boatload of fixes, docs updates, build tool changes, and even a few small new features.
Updated docs URL
With the release of v4 stable, we moved to a versioned docs setup, meaning each minor release would bring with it a new hosted version of our docs. This allows folks who haven’t yet upgraded stick to the docs they know and love and avoids breaking URLs across the web. With today’s release, our we’ll have a new URL for this release’s documentation, getbootstrap.com/docs/4.1/. The previous URL, getbootstrap.com/docs/4.0/ will still work as y’all would imagine.
Highlights
Here’s what’s new in addition to our bug fixes and docs updates:
Added new custom range form control.
Added new .carousel-fade modifier to switch carousel from horizontal sliding to crossfade.
Added new .dropdown-item-text for plaintext dropdown items.
Added new .flex-fill, .flex-grow-*, and .flex-shrink-* utilities.
Added new .table-borderless variant for tables.
Added new .text-monospace utility.
Added new .text-body (default body color), .text-black-50 (50% opacity black), and .text-white-50 (50% opacity white) utilities.
Added new .shadow-* utilities for quickly adding box-shadows.
Added ability to disable Popper’s positioning in dropdowns.
Updated our Theming docs to confirm you cannot use CSS variables in media queries (sorry folks!).
Fixed longstanding issue with Chrome rendering CSS columns incorrectly for cards.
Deprecated .text-hide—you’ll see a warning during compilation—as it’s a dated and undocumented feature.
Fixed up Dashboard and Offcanvas examples across Firefox and IE.
Breadcrumbs can now use non-string values as dividers.
Be sure to look at the ship list and project board for more details on all our fixes. Also, as a small heads up, we’ve split our issue template on GitHub into two separate templates, one for feature requests and one for bug reports. Please let us know if you have any feedback on the change.
Next release
Next up, we’re looking at a v4.1.1 release. There are some bug fixes for input groups, form fields, and more that I know we need to tackle sooner than later. These were supposed to be in v4.1, but we couldn’t make it happen in time.
Just over a month ago, we shipped the long awaited Bootstrap 4 stable release. With a brand new codebase designed to better support customization with all new components and documentation, it was the perfect time to debut some brand new themes built. Today, we’d like to introduce you to our brand new Bootstrap Themes marketplace.
10 new themes
Over the last several months, we’ve been hard at work with theme creators to build the best themes for you. When we created our original three Bootstrap themes, our goal was to provide the best themes, build tools, documentation, and support to everyone building with Bootstrap. With today’s update, we’re adding 10 new themes to the mix from a global community of designers and developers.
Every theme is built on Bootstrap 4 (stable, no beta or alpha here!) and comes with its own build tools and customer support. Prices are set by creators with pricing that incentivizes unique and well supported themes. Collectively, this inaugural batch of theme developers have built themes used by over 500,000 people. We’re excited to grow our Themes user base, push the boundaries of premium themes, and help everyone bring their ideas to life on the web.
Our new marketplace isn’t just for buying themes. If you’re a theme creator, we’d love to work with you to include your themes or to build new exclusive themes. We’re looking for new creators to design and build high quality themes, provide first class documentation and support, and help create unique experiences built on Bootstrap.
@mdo
July 24, 2019
