v3.4 release

[rpkilby]

Hi all, opening this to track a possible v3.4 final release. It would be great to have this, as the v3.4-dev branch includes #23687, which fixed a few xss vulnerabilities.

There are also a few remaining v3 issues, but it's not clear to me how critical they are.

[mdo]

I'd like folks to weigh in here for anything else urgent for a v3.x release. We have the v3.4.0-dev branch that was cut awhile ago with a few more changes. I have this snippet from an old blog post draft summarizing some of the changes I was planning for that release:

We haven't forgotten about Bootstrap 3, and today we're shipping a quality of life update for the project. This minor release brings the docs up to speed with v4 and adds a few small features. We've promised all along our road to v4 that we'd ship a v3 update after v4 was in a better place, and we've hit just that with our recent beta progress.

New in Bootstrap 3.4 is an option to remove grid gutters, new system fonts, an improved build system, and reorganized documentation complete with DocSearch support for easier navigation.

I might need to roll back system fonts from that (older browsers and OSes had issues with it I think), but dunno about everything else yet. Getting docsearch in there would be hella rad, too.

[distinctgrey]

My 2 cents:

• release v3.3.9 with the XSS vulnerabilities fixes asap (a lot of projects are still using v3, every one of them currently has this security flaw)
• release 3.4 with the remaining changes once someone finds more time :-)

In my case, that would enable us to switch from a private v3.3.8 fork with the XSS patch applied to the official package.

[innabauman]

what is the timeline for v.3.4 release?

[Thorry84]

Would also like to know, the XSS issue needs to be fixed, upgrading to 4.x isn't always a viable option.

[innabauman]

@Thorry84 there is a release branch for 3.4

[LawrieR]

@innabauman I can only see a 3.3.7 tag or a 3.4-dev branch. Did it release branch get pulled?

[innabauman]

there is a PR #26212

[mdo]

Shipping an old release is a rather tedious and manual process. I'll try to block out some time to get this out the door soon.

[kohenkatz]

@mdo Any updates? Our security auditor wants to know when we will get #23687.

[jawwadfarooq]

Any updates when a new version of v3.x will be released with the fix of XSS vulnerability?

[rykon]

A fix for this known vulnerability and a date to expect the release would be appreciated.

[vuhp]

Any updates @mdo ? When will the fix of XSS vulnerability be released?

[490386Ayan]

Hi @distinctgrey ,

How we will able to apply XSS patch to Bootstrap 3.3.7?

Thanks in advance,
Ayan Pramanik

[490386Ayan]

Any updates @mdo ? When will the fix of XSS vulnerability be released?

[490386Ayan]

We need urgent help regarding Bootstrap, I am from johnson and johnson team, we are using Bootstrap 3.3.6 for our project, our project is very big, but since it 3.3.6 has security issue so security team does not allow us for releasing, but upgrade to 4.0 is a big task, do have have any idea if we have any alternative way

[innabauman]

Hi Ayan,
We had the similar issue and while upgrading to bootstrap 4 we created a privet fork off bootstrap 3.3.6 and include a fix from 3.4 branch.

[490386Ayan]

Hi Inna,

Thank you for your reply. Can you help us how we will include a fix from 3.4 branch? Thanks in advance.

[coliff]

Hi @490386Ayan - you can replace your Bootstrap minified JS with this one:
https://raw.githubusercontent.com/twbs/bootstrap/v3.4.0-dev/dist/js/bootstrap.min.js

Also you mentioned before you were using Bootstrap 3.3.6 - this version is incompatible with jQuery 3. If you were using Bootstrap 3.3.6 with jQuery 1.x then you would be exposed to other potential security issues. If you're upgrading to avoid security issues then you should also upgrade to jQuery 3.3.1.

[innabauman]

Sure, give me your email address and I’ll contact you. We also upgraded jquery for the same reason

[490386Ayan]

@coliff

Thank you very much. Did Bootstrap3.4 shared by you compatible with Jquery 3 and above?

[coliff]

Bootstrap 3.3.7 was released in July 2016 and that release added support for jQuery 3 (and fixes a few other issues)
Blog post: http://blog.getbootstrap.com/2016/07/25/bootstrap-3-3-7-released/
Release Notes: https://github.com/twbs/bootstrap/releases/tag/v3.3.7

[subinmathewit]

@XhmikosR Is the release globally available?

[XhmikosR]

The PR isn't merged yet, we'll get to it hopefully soon. I'm still making a few more tweaks.

[waliurrahman-pki]

@XhmikosR any tentative date when it would be available on "npm"?

[XhmikosR]

No, sorry. It depends on a few other things.

[khadzic]

Where is the 3.4 branch, I can no longer find it?

[pedros007]

@khadzic according to this #20184 (comment) it's in the master branch.

[hetfield2k72]

@XhmikosR any idea when we might have the 3.4 release available via Package Manager using VS.

Thanks
Chris

[XhmikosR]

It doesn't depend purely on me. So please, guys, I understand your position, trust me, that is why I decided to spend the time to get this out :) That being said, please don't ask us every day. You will get notified when the release is out.

[ToreOlavKristiansen]

I hate to ask, but please share an update. It looks like our best bet is to upgrade to v4 to get this fixed in a timely fashion.

[XhmikosR]

No news, yet, sorry. You can always use the master or the master-xmr-v3-fixes branch in the meantime. I don't expect any important changes to land there anymore before the release.

[chrisdunne]

Any news

[XhmikosR]

Yeah, probably around December 10, hopefully.

[vuhp]

Hi, will it be released today?

[XhmikosR]

I sure hope so, it's late in USA so I haven't checked with @mdo yet.

[XhmikosR]

Sorry for postponing this, I honestly hope it's the last time, we will release it on Thursday and then release v4.2.

[khadzic]

Sorry for postponing this, I honestly hope it's the last time, we will release it on Thursday and then release v4.2.

Still on target for today's release?

[XhmikosR]

Yup, waiting for @mdo and we'll start.

[khadzic]

Yup, waiting for @mdo and we'll start.

Awesome, looking forward to it!

[dale-vanzile]

Hi, it's been a couple hours since the last question regarding ETA.

Do I have time to grab lunch before this is done?
Will there be an announcement here when it's done?

Thanks 👍 :)

[mdo]

We just merged #27288—release inbound!

[OwaisDG]

Hi @490386Ayan - you can replace your Bootstrap minified JS with this one:
https://raw.githubusercontent.com/twbs/bootstrap/v3.4.0-dev/dist/js/bootstrap.min.js

Also you mentioned before you were using Bootstrap 3.3.6 - this version is incompatible with jQuery 3. If you were using Bootstrap 3.3.6 with jQuery 1.x then you would be exposed to other potential security issues. If you're upgrading to avoid security issues then you should also upgrade to jQuery 3.3.1.

Hello @coliff The above URL for bootstrap.min.js is going to 404. please, can you share with me the link with X-SS fix?

[coliff]

Hi @OwaisDG bootstrap 3.4.0 is out now.
https://getbootstrap.com/docs/3.4/getting-started/#download