🚨 [security] [js] Update bootstrap-multiselect 0.9.13-1 → 2.0.0 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ bootstrap-multiselect (0.9.13-1 → 2.0.0) · Repo

Security Advisories 🚨

🚨 Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data

An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).

Release Notes

2.0.0

Bootstrap 5 release (#1288).

1.1.0

Features

• Redesign of filter and active items
• Added new option "widthSynchronizationMode"
• Added new option "buttonTextAlignment"

Resolved Bugs

• #1153: disabledText was displayed when list contains items but none are selected
• #1160: Fixed selection of option when pressing enter on an input text field
• #1167: Fixed select all behavior for collapsed option groups
• #1175: Improved "enableHTML" for options
• #1183: Fixed tabbing issue
• Fixed deselection of selected item in single-selection mode
• Fixed style of select when used in input groups

0.9.15

Updating from v0.9.13 is recommended. Note that v0.9.14 is a left-over tag where continuous integration is not working. Please refer to the updated documentation for changes or check the commits or pull requests.

0.9.13

Due to a XSS vulnerability, an update to v0.9.13 is highly recommended!

Changes:

• Merged: #539, #497, #502, #521.
• New option delimiterText (#531, #539).
• Support for data-placeholder.
• #526: Fixed default buttonTitle option.
• XSS vulnerability fixed with new release (#524).
• Support for collapsible optgroups (#521).
• FAQ: #532, #519.
• Examples: #529, #541.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

• Final changes for the 2.0.0 release with some more documentation in the getting started section.
• Few fixes for bootstrap 5 2.0.0 release:
• Merge pull request #1265 from hdwills/master
• Merge pull request #1287 from marcoris/master
• Merge pull request #1288 from derikb/develop-bs5
• minify and bump version
• refactor: more bs5 fixups
• feat(bootstrap): update classes for bs5
• Merge pull request #1 from marcoris/marcoris-remove-post.php
• Delete post.php
• Merge pull request #1 from hdwills/hdwills-patch-1
• docs: fiexd demo code

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)