Update dependency bootstrap-select to ~1.13.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
bootstrap-select (source)	~1.12.1 → ~1.13.0

GitHub Vulnerability Alerts

GHSA-9r7h-6639-v5mw

Versions of bootstrap-select prior to 1.13.6 are vulnerable to Cross-Site Scripting (XSS). The package does not escape title values on <option> tags. This may allow attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 1.13.6 or later.

CVE-2019-20921

bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.

---

Release Notes

snapappointments/bootstrap-select (bootstrap-select)

v1.13.6

Compare Source

Bug Fixes

• #​1321: remove extra files from bower release
• #​1665: performance improvements
• #​1832: use on and trigger event handlers instead of click and change shorthand
• #​2078: Elements in an input group below a selectpicker have a higher z-index, causing them to appear above the opened menu
• #​2150: Live search discards the first typed character
• #​2163: Cannot read property 'top' of undefined (ensure container exists)
• #​2166: Sub options display separately instead of as 1 list
• #​2187: move bulk of logic into a setTimeout for faster page load
• #​2189: Empty select refresh error "Cannot read property 'classList' of undefined"
• #​2198: "Cannot read property '0' of undefined" when dropupAuto is false and the select is at the bottom of the page
• #​2199: Escaped tags parsed as non-escaped in title and data-content
• #​2202: always update menu size after updates to live search
• #​2206: Map file for minified js version does not work correctly
• #​2210: An extra divider is added if an optgroup is the last visible element and there are hidden options after it
• #​2217: The bottom divider of an optgroup disappears when searching and one of the options in the optgroup is hidden

Security

• #​2199: Fixed an XSS vulnerability with data-content, data-subtext, and title options. Implemented a new HTML sanitizer for data-content.

---

v1.13.5

Compare Source

Bug Fixes

• #​2160: Selects with a title option throw an error in the render function

---

v1.13.4

Compare Source

Bug Fixes

• #​1710: When listening for keydown event on .bs-searchbox, ensure it is a child of .bootstrap-select
• #​1943: Option dropdownAlignRight auto doesn't work
• #​2034: Uncaught TypeError: Cannot read property '0' of undefined
• #​2082: button vertical alignment
• #​2105: Dynamically added picker causes resize JS error
• #​2118: Memory leak: getPlacement resize & scroll
• #​2140: data-hidden broken in v1.13.0
• #​2151: This plugins broken when the version of IE below 10

Documentation

• #​2125: add styleBase option to documentation

New Features

• #​767, #​1876, #​2026: Improve/expand liveSearchNormalize
• #​2120, #​2121, #​2152 - replace JSHint with ESLint (clean up code)
• #​1910: Amharic locale
• #​1926: Latvian locale

---

v1.13.3

Compare Source

Bug Fixes

• #​1425: Don't render checkMark (tickIcon) if showTick is false or the select is not multiple
• #​1828: Select not working on mobile
• #​2045: 'auto' width not working
• #​2086: Cannot read property 'display' of undefined
• #​2092: Cannot read property 'className' of undefined
• #​2101: Extra tick mark when using livesearch in Bootstrap 4

---

v1.13.2

Compare Source

Bug Fixes

• #​1999: selected styling removed from previous option in a multiselect
• #​2024: Arrow down key doesn't scroll the view to the top when virtualScroll is disabled
• #​2027: data-max-options="1" not removing selected class
• #​2029: LiveSearch and "Select All" selects too many options
• #​2033: Dividers broken on bootstrap 4
• #​2035: Selectbox with live search throwing error when UP/DOWN key is pressed
• #​2038: Select / Deselect All buttons are modifying disabled options
• #​2044: When data-container is set, first click resets scroll position
• #​2045: 'auto' width not working
• #​2047: Optgroup labels are escaped
• #​2058: Menu hight is not properly calculated when using data-size and styling the options' height
• #​2079: Subtext is difficult to read on active options

New Features

• #​1972: add option to manually specify Bootstrap's version
• #​2036: Add support for Bootstrap dropdown's display property added in v4.1.0

---

v1.13.1

Compare Source

Bug Fixes

• #​1342: Bootstrap select doesn't send field data on form submit (set form attribute on select element to fix)
• #​2402: In Internet Explorer, with liveSearchPlaceholder enabled, can't select option while searchBox is focused. Also, selected option doesn't get scrolled to when opening menu
• #​2464: title attribute does not work in 1.13.17 (Safari)
• #​2469: Shift-Tab key not working in 1.13.17
• #​2474: With multiple selects, cannot select options with keyboard after using mouse to select options
• #​2483: Dropdown with unselectable index 0 will not scroll to top on arrow_down with last index selected
• #​2491: remove placeholder/title option when destroying selectpicker

---

v1.13.0

Compare Source

Bug Fixes

• #​2060: form control sizing classes not working
• fix sass variable syntax
• #​2062: popper error when bootstrap-select is in a navbar
• #​1913:   causing formatting errors on MacOS
• #​2061: unnecessary caret code with Bootstrap 4
• #​2065: .empty() method is not working
• #​2063: New-lines in options cause formatting issues with title attribute (if multiple options selected)
• #​2064: Purely numeric data-subtext breaks live search
• #​2066: Button padding when using data-width="fit" is incorrect
• #​2067: input group addons not displaying properly
• #​2077: selectAll performance in Edge is abysmal
• #​2074: show-menu-arrow not displaying properly
• #​2068: Bootstrap 4 validation pseudo classes not being applied properly when new options are appended dynamically
• #​2070: popover-title is not popover-header in Bootstrap 4
• #​2075: liveSearch with data-content not working
• #​2072: Button text breaks to the next line when using form-control as styleBase (Bootstrap 4)
• #​2069: Placeholder text is unreadable on darker buttons (btn-primary, btn-success, etc.)
• #​1691: XSS vulnerability in option title

New Features

• #​1404, #​1697: changed.bs.select now passes through previousValue as the third parameter (instead of the previous value of the option, which was redundant). This is the value of the select prior to being changed.
• update jQuery range to make v1.9.1 the minimum (and exclude version 4)

---

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[miq-bot]

This pull request has been automatically marked as stale because it has not been updated for at least 3 months.

If these changes are still valid, please remove the stale label, make any changes requested by reviewers (if any), and ensure that this issue is being looked at by the assigned/reviewer(s).

[miq-bot]

Checked commit f4996b2 with ruby 3.3.10, rubocop 1.56.3, haml-lint 0.69.0, and yamllint
0 files checked, 0 offenses detected
Everything looks fine. 🍰