Bootstrap: Jquery < 3.5.0 security vulnerabilities

I don't think it's been released either. I'm still getting

Cannot convert object to primitive value

error because of collapse.js on v4.4.1.
Are they waiting to release this in v4.4.2?

It's not released yet, but you should wait for jQuery v3.5.1 because more libraries are probably broken.

We are wrapping up any v4.4.2 patches and I'll try to release v4.4.2 ASAP.

EDIT: correction, or rather be extra careful when updating to jQuery v3.5.0 due to the breaking change it has, which is fixed in their 3.x branch, but a patch release has not been released yet.

out of curiosity, this breaking change is only for jquery 3.x or for 1.x, 2.x too?

and will bootstrap 4.4.2 works with jquery 1 and 2 or no?

many thanks

Only v3.5.0 has this bug AFAICT. But they made some security fixes in the same version, which is why they need to release v3.5.1 ASAP.

That being said, one can stay on jQuery v3.4.1 if they value that they are not affected by the security fixes.

As for older versions of jQuery, we actively test v1.9.1 and 3.4.1 and both work fine for Bootstrap v4.4.1. Bootstrap v4.4.2 which has the fix from our side will also work with jQuery v3.5.0.

But I really hope they release a new patch version too soon.

jquery 3.5.1 was released https://blog.jquery.com/2020/05/04/jquery-3-5-1-released-fixing-a-regression/

jQuery v3.5.1 was released a few hours ago. This should work with Bootstrap 4.x fine.

I'm going to close the issue, although we do have a fix in our v4-dev branch but now it's irrelevant.

I tried using the v3.5.1 with Bootstrap v4.4.1 and collapse.js is now throwing another error : TypeError t.

Am I doing something wrong or the fix they released doesn't work?

You are doing something wrong.

Hmm I'm not having this issue and the release works for me.