13 Feb 2019
Today we’re shipping Bootstrap v4.3.1 and v3.4.1 to patch an XSS vulnerability, CVE-2019-8331. Also included in v4.3.1 is a small fix to some RFS (responsive font sizes) mixins that were added in v4.3.0.
Earlier this week a developer reported an XSS issue similar to the
data-target vulnerability that was fixed in v4.1.2 and v3.4.0: the
data-template attribute for our tooltip and popover plugins lacked proper XSS sanitization of the HTML that can be passed into the attribute’s value.
Those who have modified the default templates, please read the new v4.3 sanitizer docs or the new v3.4 sanitizer docs.
In light of this vulnerability, we’re also auditing our security reporting workflows to ensure they’re up to date. This will include steps like adding a
SECURITY.md file to our repository and ensuring our private channels and processes are up to date and documented with the team.
Thank you to poiu for reporting the vulnerability to the Bootstrap Drupal project and Mark Carver from the Bootstrap Drupal project for responsibly disclosing the issue to us. Also a massive thank you to @Johann-S, @Xhmikosr, and @bardiharborow on our team for the fast turnaround on today’s releases.
@mdo & team
11 Feb 2019
Bootstrap v4.3 has landed with over 120 combined closed issues and merged pull requests. This release brings improvements to our utilities, some prep work for moving on to v5’s development, and the standard bug fixes and documentation updates.
Keep reading for v4.3 highlights, and see you soon with more details on v5!
We’ve added some new utilities and deprecated some unused code. Here are the key changes in v4.3, broken down by new, improved, fixed, and deprecated.
- New: Added
.stretched-link utility to make any anchor the size of it’s nearest
position: relative parent, perfect for entirely clickable cards!
- New: Added
.text-break utility for applying
- New: Added
.rounded-lg for small and large
- New: Added
.modal-dialog-scrollable modifier class for scrolling content within a modal.
- New: Added responsive
.list-group-horizontal modifier classes for displaying list groups as a horizontal row.
- Improved: Reduced our compiled CSS by using
null for variables that by default inherit their values from other elements (e.g.,
inherit and is now
null until you modifier it in your custom CSS).
- Improved: Badge focus styles now match their
background-color like our buttons.
- Fixed: Silenced bad selectors in our JS plugins for the
data-target HTML attribute/
target option where available.
- Fixed: Reverted v4.2.1’s change to the breakpoint and grid container Sass maps that blocked folks from upgrading when modifying those default variables.
- Fixed: Restored
white-space: nowrap to
.dropdown-toggle (before v4.2.1 it was on all
.btns) so carets don’t wrap to new lines.
size mixins are now deprecated and will be removed in v5.
Checkout the full v4.3.0 ship list and GitHub project for the full details.
Head to to the v4.3.x docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.
Introducing responsive font sizes
Our biggest new addition to Bootstrap in v4.3 is responsive font sizes, a new project in the Bootstrap GitHub org to automate calculate an appropriate
font-size based on the dimensions of a visitor’s device or browser viewport. Here’s how it works:
font-size properties have been switched to the
@include font-size() mixin. Our Stylelint configuration now prevents the usage of
Disabled by default, you can opt into this new behavior by toggling the
$enable-responsive-font-sizes boolean variable.
font-sizes are entirely configurable via Sass. Be sure to read the docs for how to modify the scales, variables, and more.
While responsive font-sizes are disabled by default, we’ve enabled them in the custom CSS that powers our docs starting with v4.3. Please share feedback with us via GitHub issues or on Twitter. We’ve added some light guidance to our Typography docs to explain the feature. You can also learn more by reading the rfs project documentation.
Last December we launched our Open Collective page with our v3.4 release to help support the maintainers contributing to Bootstrap. The team has been very excited about this as a way to be transparent about maintainer costs (both time and money), as well as recognition of efforts.
Branches, Hugo, and jQuery
Right after shipping v4.3, we’ll be tackling a few key changes on our road to active v5 development. These are larger changes to how we maintain and develop Bootstrap and are considered foundational for v5.
Improving our branches for development.
master will become our new
v4-dev will stay as-is, but we’ll cut a new
master branch from there to develop v5.
We’re moving to Hugo! Jekyll has been great, but it’s starting to slow us down in local development. We’ll be making changes to our dependencies to support this move, and there’s already a pull request in progress and near completion for the change. Follow along to see what’s changing.
We’ll have even more to share soon around v5’s plans after we tackle these bigger items. In the meantime, keep the feedback coming on GitHub and Twitter!
@mdo & team
21 Dec 2018
Look out world, we’re shipping Bootstrap v4.2.1 with a slew of new features, bug fixes, and docs updates. On the new features side, we have spinners, toasts, switches, and (finally!) touch support in the carousel. That’s just the tip of the iceberg though.
Heads up! v4.2.0 was incorrectly published to npm, so we’ve had to immediately turnaround a v4.2.1 release.
npm i bootstrap@latest should now return
4.2.1. Apologies for the inconvenience!
We’ve crammed months of work into v4.2.1 with over 400 commits since our last v4.1.3 release. As mentioned in our v3.4.0 release last week, we’re working to decouple our releases from my direct involvement to improve the shipping cadence. Expect more improvements there in 2019.
Keep reading for highlights and some insight into how we’re getting to v4.3 quickly, and then into v5 (woo!).
Here are the highlights of what’s new and updated in v4.2.1.
- New: Added a new spinner loading component.
- New: Added new toast component for displaying notifications.
- New: Added a new iOS style switch (a modifier class to our custom checkboxes).
- New: Added touch support in our carousel component.
- New: Added
- New: Added
.text-decoration-none utility class.
- New: Added
.modal-xl modifier class for our modals.
- New: Added new negative margin utility classes (e.g.,
.mb-n3). These rad new classes not only allow you more control over your general spacing needs, but also allow you to create responsive grid gutters at each breakpoint.
- New: Validated form fields now have feedback icons on
:valid fields. Disable them with the
$enable-validation-icons boolean Sass variable (defaults to
- New: Added a new versions page to our docs.
- New: Tooltips/Popovers work with Shadow DOM.
- Updated: Redesigned the custom checkboxes and radios for more obvious states.
bootstrap-grid.css now includes our
padding utilities for full control of our grid system.
- Updated: Changed auto columns (e.g.,
max-width: none to
max-width: 100% to prevent content from causing a column to overflow the parent.
- Updated: Improved rendering of custom selects, ranges, file input, and more.
Checkout the full v4.2.0 ship list and GitHub project for the full details. Up next is v4.3 with some bugfixes, a few new modifier classes and variables, and some new utilities.
Head to the v4.2 docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.
We have v4.3 already planned, so that’s our immediate focus. However, while we’re developing that in the
v4-dev branch, we’ll be getting our plans in order for a v5 release.
Bootstrap 5 will not feature drastic changes to the codebase. While I tweeted about the earnestness to move to PostCSS years ago, we’ll still be on Sass for v5. Instead, we’ll focus our efforts on removing cruft, improving existing components, and dropping old browsers and our jQuery dependency. There are also some updates to our v4.x components we cannot make without causing breaking changes, so v5 feels like it’s coming at the right time for us.
Stay tuned for a preview of the plans for v5 in the new year. We’ll share via an issue, ask for feedback, and then settle in to development mode.
Happy holidays, and happy new year to everyone! Thanks for continuing to make Bootstrap an amazing project and community.
@mdo & team
13 Dec 2018
That’s not a typo—today we’re shipping Bootstrap 3.4.0, a long overdue update to address some quality of life issues, XSS fixes, and build tooling updates to make it easier for us, and you, to develop.
While we’d planned for ages to do a fresh v3.x update, we lost steam as energy was focused on all the work in v4. Early this year, one issue in particular gained a ton of momentum from the community and the core team decided to do a huge push to pull together a solid release. I regret the time it took to pull this release together, especially given the security fixes, but with the improvements under the hood, v3 has never been easier to develop and maintain. Thanks for your continued support along the way!
Keep reading for what’s changed and a look ahead at what’s coming in v4.2.0.
While we haven’t publicly worked on v3.x in years, we’ve heard from all of you during that time that we needed to do a new release to address
- New: Added a
- New: Added docs searching via Algolia.
- Fixed: Resolved an XSS issue in Alert, Carousel, Collapse, Dropdown, Modal, and Tab components. See https://snyk.io/vuln/npm:bootstrap:20160627 for details.
- Fixed: Added padding to
.navbar-fixed-* on modal open
- Fixed: Removed the double border on
- Removed Gist creation in web-based Customizer since anonymous gists were disabled long ago by GitHub.
- Removed drag and drop support from Customizer since it didn’t work anymore.
Our documentation and tooling saw massive updates as well to make it easier to work on v3.x, for ourselves and for you.
- Added a dropdown to the docs nav for newer and previous versions.
- Update the docs to use a new
/docs/3.4/, to version the v3.x documentation like we do with v4.
- Reorganized the v3 docs CSS to use Less.
- Switched to BrowserStack for tests.
- Updated links to always use https and fix broken URLs.
- Replaced ZeroClipboard with clipboard.js
Head to the Bootstrap 3.4 docs to see the latest in action. Check out the v3.4.0 pull request for even more context on what’s changed.
Upgrade your Bootstrap 3 projects to v3.4.0 with
npm i bootstrap@previous or
npm i firstname.lastname@example.org. This release won’t be available via Bower to start given the package manager was deprecated and has largely been unused by us in v4 for well over a year. Stay tuned for CDN and Rubygem updates.
Also new with our v3.4 is the creation of an Open Collective page to help support the maintainers contributing to Bootstrap. The team has been very excited about this as a way to be transparent about maintainer costs (both time and money), as well as recognition of efforts.
v4.2 and beyond
We’ve been working on a huge v4.2 update for several months now. Our attention has largely been on advancing the project and simplifying it’s dependencies, namely by removing our jQuery dependency. That work has sparked a keen interest in a moderately scoped v5 release, so we’ve been taking our sweet time with v4.2 to sneak in as many new features as we can.
After we ship v4.2, we’ll plan for point releases to address any bugs and improvements as y’all start to use the new version. From there, we’ll start to share more plans on v5 to remove jQuery, drop support for older browsers, and clear up some cruft. This won’t be a sweeping rewrite, but rather an iterative improvement on v4. Stay tuned!
@mdo & team
24 Jul 2018
But first, here are the highlights for v4.1.3. Pay attention to the change to
.form-controls which adds a new fixed
- Fixed: Moved the browserslist config from our
package.json to a separate file to avoid unintended inherited browser settings across npm projects.
- Fixed: Removed the
:not(:root) selector from our
svg Reboot styles, resolving an issue that caused all inline SVGs ignore
vertical-align styles via single class due to higher specificity.
- Fixed: Buttons in custom file inputs are once again clickable when focused.
- Improved: Bootstrap’s plugins can now be imported separately in any contexts because they are now UMD ready.
.form-controls now have a fixed
height to compensate for differences in computed height across different
types. This also fixes some IE alignment issues.
- Improved: Added
Noto Color Emoji to our system font stack for better rendering in Linux OSes.
Checkout the full v4.1.3 ship list and GitHub project for the full details. Up next is v4.2, so stay tuned for some awesome new features like toasts, dismissible badges, negative margins (responsive grid gutters!), spinners, and more!
Head to the v4.1.x docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.
@mdo & team