I'd like folks to weigh in here for anything else urgent for a v3.x release. We have the v3.4.0-dev branch that was cut awhile ago with a few more changes. I have this snippet from an old blog post draft summarizing some of the changes I was planning for that release:

We haven't forgotten about Bootstrap 3, and today we're shipping a quality of life update for the project. This minor release brings the docs up to speed with v4 and adds a few small features. We've promised all along our road to v4 that we'd ship a v3 update after v4 was in a better place, and we've hit just that with our recent beta progress.

New in Bootstrap 3.4 is an option to remove grid gutters, new system fonts, an improved build system, and reorganized documentation complete with DocSearch support for easier navigation.

I might need to roll back system fonts from that (older browsers and OSes had issues with it I think), but dunno about everything else yet. Getting docsearch in there would be hella rad, too.

My 2 cents:

• release v3.3.9 with the XSS vulnerabilities fixes asap (a lot of projects are still using v3, every one of them currently has this security flaw)
• release 3.4 with the remaining changes once someone finds more time :-)

In my case, that would enable us to switch from a private v3.3.8 fork with the XSS patch applied to the official package.

what is the timeline for v.3.4 release?

Would also like to know, the XSS issue needs to be fixed, upgrading to 4.x isn't always a viable option.

@Thorry84 there is a release branch for 3.4

@innabauman I can only see a 3.3.7 tag or a 3.4-dev branch. Did it release branch get pulled?

there is a PR https://github.com/twbs/bootstrap/pull/26212

Shipping an old release is a rather tedious and manual process. I'll try to block out some time to get this out the door soon.

@mdo Any updates? Our security auditor wants to know when we will get #23687.

Any updates when a new version of v3.x will be released with the fix of XSS vulnerability?

A fix for this known vulnerability and a date to expect the release would be appreciated.

Any updates @mdo ? When will the fix of XSS vulnerability be released?

Hi @distinctgrey ,

How we will able to apply XSS patch to Bootstrap 3.3.7?

Thanks in advance,
Ayan Pramanik

Any updates @mdo ? When will the fix of XSS vulnerability be released?

Any updates @mdo ? Kindly provide me Bootstrap team communication mail id , so I can drop a mail to them, since j&j facing issue too much. Thanks in advance.

We need urgent help regarding Bootstrap, I am from johnson and johnson team, we are using Bootstrap 3.3.6 for our project, our project is very big, but since it 3.3.6 has security issue so security team does not allow us for releasing, but upgrade to 4.0 is a big task, do have have any idea if we have any alternative way

Hi Ayan,
We had the similar issue and while upgrading to bootstrap 4 we created a privet fork off bootstrap 3.3.6 and include a fix from 3.4 branch.

Hi Inna,

Thank you for your reply. Can you help us how we will include a fix from 3.4 branch? Thanks in advance.

Hi @490386Ayan - you can replace your Bootstrap minified JS with this one:
https://raw.githubusercontent.com/twbs/bootstrap/v3.4.0-dev/dist/js/bootstrap.min.js

Also you mentioned before you were using Bootstrap 3.3.6 - this version is incompatible with jQuery 3. If you were using Bootstrap 3.3.6 with jQuery 1.x then you would be exposed to other potential security issues. If you're upgrading to avoid security issues then you should also upgrade to jQuery 3.3.1.

Sure, give me your email address and I’ll contact you. We also upgraded jquery for the same reason

@innabauman ,thank you very much, pramanik.[email protected], [email protected]

@coliff

Thank you very much. Did Bootstrap3.4 shared by you compatible with Jquery 3 and above?

Bootstrap 3.3.7 was released in July 2016 and that release added support for jQuery 3 (and fixes a few other issues)
Blog post: http://blog.getbootstrap.com/2016/07/25/bootstrap-3-3-7-released/
Release Notes: https://github.com/twbs/bootstrap/releases/tag/v3.3.7

@coliff , Bootstrap 3.3.7 is working with Jquery 3 and above that we know but it has security issue. You had shared a Bootstrap version "https://raw.githubusercontent.com/twbs/bootstrap/v3.4.0-dev/dist/js/bootstrap.min.js", will it work with Juqery3.0 or above?

@coliff , we have already updated the Jquery version to Jquery 3.3.1, and we observed that this is not working with Bootstrap3.3.6, so we see that Bootstrap 3.3.7 is working with jquey3 but Bootstrap3.3.7 has security issues.

@coliff , Your provided version is working with Jquery3.0 and above, I have just checked it. I am requesting kindly confirm me do it has any security issue like Bootstrap 3.3.7? I am awaiting a reply from you. Thanks in advance.

Hi @490386Ayan. As stated in the guidelines, the issue tracker is not intended for personal support requests. It is more appropriate to ask for help in Stack Overflow, IRC, or Slack. Please ask your questions there instead.

https://github.com/twbs/bootstrap#community

Hello together.

we are very happy and greatful users of bootstrap to date. Unfortunately, we also have the it-security guy breathing down our necks pretty hard: There shall be no shipping of our product with 3.3.7 as they have deemed it EOL and are making us move to 4.x branch. This seems to be a non-trivial task and deadlines are tight.

I have recommended moving to 3.4-dev as remediation for the XSS, but this is not regarded as a valid fix by the it-sec-guy due to the missing "formal release". Making a private branch and manually applying the fixes there moves the responsibility of fixing further security issues to our own developers: a responsibility i am not sure i can comfortably guarantee for.

So, may i also kindly request any updates? It seems we are not alone and in a bit of a pickle.. which could be alleviated by this release.

Hello All,

Can someone help me to fix the XSS vulnerability pertaining to data-target attribute in V3.3.7 without upgrading it. ( if someone can point out the changes and in which files etc, it would be very helpful.)

Currently upgrading to an higher version is demanding a lot of Ui changes across our application, hence i would like to fix the data-target XSS vulnerability in V 3.3.7 itself. Any help is appreciated, thanks in advance.

Sure, give me your email address and I’ll contact you.

[email protected]

On Sat, Jul 21, 2018 at 4:44 PM inna bauman notifications@github.com
wrote:

Sure, give me your email address and I’ll contact you.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/twbs/bootstrap/issues/25679#issuecomment-406827966,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AQG1y99QEhbbgfqa562wjN8WzfJvs1gRks5uI67HgaJpZM4SOO2o
.

Hey @innabauman, I'm facing same issue as @dine3737. We need to fix the XSS vulnerability and an upgrade to 4.1.2 doesn't seem to be a viable option because of how many implementations it will affect. Can you share the changes needed to directly fix the data-target issue? Do you know if there is going to be a 3.4 release soon? I would rather prefer to do the upgrade to 3.4 than to manually fixing the vulnerability but if there is no other way to do it as soon as possible, then the manual fix will do. Thanks in advance! E-mail is [email protected]

@vernejc @dine3737 I send you both the steps and also created pull request with the suggested fix.
https://github.com/twbs/bootstrap/pull/26956

Thanks @innabauman! I’ll give it a try to the listed steps. Have a good one!

fixed additional XSS vulnerabilities in #27047.

As @sebastian-h pointed out, a release with the security fixes would be appreciated

Hey @innabauman Kindly provide a fix for this issue. my email is [email protected]

hey @innabauman , we are also facing the same issue, can you give us the steps for that fix. my email is [email protected]

It's obvious that the maintainers don't want to deal with the headaches of releasing the 3.4 branch. Would a new 3.3.x point release resolve the problems? I know a lot of sites aren't in a position to do a full upgrade to 4.x yet, so fixing this minor security bug would greatly help many, many sites.

Hi all! I just recently worked on the upgrade from 3.3.7 to 3.4.0-dev at my company. I would like to know if there is a list of the known XSS vulnerabilities that have been fixed and a list of the ones that are pending. Since there is no formal release, this is a good to have to advice the security team. Also, are there any news about a formal 3.4.0 release with all the XSS vulnerability fixes? Thank you in advance!

There will be a formal release. They have a PR with the progress :)

The headaches are the same regardless of the version number :). The team has spent a lot of time cleaning up that branch and getting it in the right state. Hang tight, should have good news soon.

Hi @innabauman could you please share your solution for this issue? my email is suman.[email protected]

27288 is almost ready. Sorry for the delay, everyone, we'll try to be more organized from now on.

@XhmikosR Is the release globally available?

The PR isn't merged yet, we'll get to it hopefully soon. I'm still making a few more tweaks.

@XhmikosR any tentative date when it would be available on "npm"?

No, sorry. It depends on a few other things.

Where is the 3.4 branch, I can no longer find it?

@khadzic according to this https://github.com/twbs/bootstrap/issues/20184#issuecomment-423277118 it's in the master branch.

@XhmikosR any idea when we might have the 3.4 release available via Package Manager using VS.

Thanks
Chris

It doesn't depend purely on me. So please, guys, I understand your position, trust me, that is why I decided to spend the time to get this out :) That being said, please don't ask us every day. You will get notified when the release is out.

I hate to ask, but please share an update. It looks like our best bet is to upgrade to v4 to get this fixed in a timely fashion.

No news, yet, sorry. You can always use the master or the master-xmr-v3-fixes branch in the meantime. I don't expect any important changes to land there anymore before the release.

Any news

Yeah, probably around December 10, hopefully.

Hi, will it be released today?

I sure hope so, it's late in USA so I haven't checked with @mdo yet.

Sorry for postponing this, I honestly hope it's the last time, we will release it on Thursday and then release v4.2.

Sorry for postponing this, I honestly hope it's the last time, we will release it on Thursday and then release v4.2.

Still on target for today's release?

Yup, waiting for @mdo and we'll start.

Yup, waiting for @mdo and we'll start.

Awesome, looking forward to it!

Hi, it's been a couple hours since the last question regarding ETA.

Do I have time to grab lunch before this is done?
Will there be an announcement here when it's done?

Thanks 👍 :)

We just merged #27288—release inbound!

Hi @490386Ayan - you can replace your Bootstrap minified JS with this one:
https://raw.githubusercontent.com/twbs/bootstrap/v3.4.0-dev/dist/js/bootstrap.min.js

Also you mentioned before you were using Bootstrap 3.3.6 - this version is incompatible with jQuery 3. If you were using Bootstrap 3.3.6 with jQuery 1.x then you would be exposed to other potential security issues. If you're upgrading to avoid security issues then you should also upgrade to jQuery 3.3.1.

Hello @coliff The above URL for bootstrap.min.js is going to 404. please, can you share with me the link with X-SS fix?

Hi @OwaisDG bootstrap 3.4.0 is out now.
https://getbootstrap.com/docs/3.4/getting-started/#download