Bootstrap Cross-Site Scripting (XSS) vulnerability

[RealKai42]

Describe the problem

Link: GHSA-vc8w-jr9v-vj7f

  ┌──────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
  │         Library          │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                         │
  ├──────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
  │ bootstrap (package.json) │ CVE-2024-6531 │ MEDIUM   │ fixed  │ 4.6.0             │ 5.0.0         │ A vulnerability has been identified in Bootstrap that │
  │                          │               │          │        │                   │               │ exposes users to ......                               │
  │                          │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6531             │
  └──────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘
  

This vulnerability is still present in the latest version of r-bslib, as it bundles Bootstrap version 4.6.0, which is affected by the issue.

Could bslib team help fix this vulnerabilities to protect the lib user？

Request for Assistance

Could the r-bslib team update Bootstrap to version 5.0.0 or higher to resolve this vulnerability and ensure the security of the library’s users?

[cpsievert]

bslib defaults to version 5.3.1 now. You have to specifically opt-in to 4.6.0 by doing bs_theme(version = 4)