Contrib.social

Replace the twbs/bootstrap package not to bring a Bootstrap Cross-Site Scripting (XSS) vulnerability when building with composer

Open on Drupal.org →
Created on 3 September 2024, 3 months ago
Updated 17 September 2024, 2 months ago

Problem/Motivation

The twbs/bootstrap package has a Cross-Site Scripting (XSS) vulnerability that poses a security risk. This issue was identified during a Composer audit. For more details on the vulnerability, refer to the GitHub advisory.

Varbase ~9.1.0 is not using the twbs/bootstrap package
Vartheme BS4 is using package.json and npm/yarn to get the needed Bootstrap library to compile
But Barrio Bootstrap 4 Theme → has the library in its composer.json file

  "require": {
    "twbs/bootstrap": "^4.4.1"
  },

Which is not the recommended way of fetching the library.
Varbase 9 and Vartheme BS4 went with the Nodejs method, as our teams compile our custom changed Bootstrap's variables, in projects.

Steps to reproduce

When I run composer audit in the root directory of a Varbase 9 project
Then the following output in the terminal will show up

Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | twbs/bootstrap                                                                   |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-6531                                                                    |
| Title             | Bootstrap Cross-Site Scripting (XSS) vulnerability                               |
| URL               | https://github.com/advisories/GHSA-vc8w-jr9v-vj7f                                |
| Affected versions | >=4.0.0,<=4.6.2                                                                  |
| Reported at       | 2024-07-11T18:31:14+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Proposed resolution

Add a replace for the library, not to bring it at all ( not needed in Varbase 9 )

  "replace": {
    "twbs/bootstrap": "*"
  },

Remaining tasks

  • ✅ File an issue about this project
  • ✅ Addition/Change/Update/Fix to this project
  • ✅ Testing to ensure no regression
  • âž– Automated unit/functional testing coverage
  • âž– Developer Documentation support on feature change/addition
  • âž– User Guide Documentation support on feature change/addition
  • âž– UX/UI designer responsibilities
  • âž– Accessibility and Readability
  • ✅ Code review from 1 Varbase core team member
  • ✅ Full testing and approval
  • ✅ Credit contributors
  • ✅ Review with the product owner
  • ✅ Update Release Notes and Update Helper on new feature change/addition
  • ✅ Release varbase-10.0.2 →

Varbase update type

  • ✅ No Update
  • âž– Optional Update
  • âž– Forced Update
  • âž– Forced Update if Unchanged

User interface changes

Terminal interface changes
After the fix:

composer audit
No security vulnerability advisories found.

API changes

  • N/A

Data model changes

  • N/A

Release notes snippet

📌 Task
Status

Fixed

Version

9.1

Component

Code

Created by

Ammar_Arman

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024