🚨 [security] Upgrade bootstrap: 4.1.3 → 4.3.1 (minor)

[depfu]

---

🚨 Your version of bootstrap has known security vulnerabilities 🚨

Advisory: CVE-2019-8331
Disclosed: February 15, 2019
URL: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

XSS vulnerability in bootstrap

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible
in the tooltip or popover data-template attribute.

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ bootstrap (4.1.3 → 4.3.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 11 commits:

• Bump bootstrap to 4.3.1
• rake update[v4.3.1]
• Updater: Exclude tools/sanitizer.js from bootstrap_js_files
• Bump to v4.3.0
• rake update[v4.3.0]
• Bump to v4.2.1
• rake update[v4.2.1]
• rake update[v4-dev]
• Depend on sassc-rails, specify required_ruby_version
• Set min precision to 6 as per upstream
• sass -> sassc

↗️ autoprefixer-rails (indirect, 9.2.1 → 9.5.1) · Repo · Changelog

Release Notes

9.5.1 (from changelog)

• Fix backdrop-filter for Edge (by Oleh Aloshkin).
• Fix min-resolution media query support in Firefox < 16.

9.4.10.2 (from changelog)

• Fix Ruby < 2.4 support (by Jack Ford).
• Update Can I Use data.

9.4.10.1 (from changelog)

• Fix non-Rails environments support (by Junya Ogura).
• Update Can I Use data.

9.4.10 (from changelog)

• Add warning for named Grid rows.

9.4.9 (from changelog)

• Fix grid-template and @media case (by Bogdan Dolin).

9.4.8 (from changelog)

• Fix calc() support in Grid gap.

9.4.7 (from changelog)

• Fix infinite loop on mismatched parens.

9.4.6 (from changelog)

• Fix warning text (by Albert Juhé Lluveras).

9.4.5 (from changelog)

• Fix text-decoration-skip-ink support.

9.4.4 (from changelog)

• Use direction value for -ms-writing-mode (by Denys Kniazevych).
• Fix warning text (by @zzzzBov).

Not all release notes shown. View the full release notes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 52 commits:

• Release 9.5.1 version
• Update autoprefixer.js with backdrop-filter and resolution fixes
• Fix specs
• Remove old file
• Remove Compass tests
• Add security note
• Release 9.5 version
• Update autoprefixer.js with mark-composite
• Release 9.4.10.2 version
• Update autoprefixer.js with fresh data
• Convert from match? to match to support rubies < 2.4 (#156)
• Release 9.4.10.1
• Update auroprefixer.js with fresh Can I Use
• Fix NameError when processing without Rails (#154)
• Release 9.4.10 version
• Update autoprefixer.js with warning for named Grid lines
• Clean up Compass config
• Give StandardRB a shot (#153)
• Add Rubygems links (#152)
• Release 9.4.9 version
• Update autoprefixer.js with Grid fix
• Release 9.4.8 version
• Updaye Autoprefixer with calc() support fix in grid-gap
• Release 9.4.7 version
• Update autoprefixer.js with infinite loop fix
• Release 9.4.6 version
• Update autoprefixer.js with fixed warning
• Release 9.4.5 version
• Update autoprefixer.js with text-decoration-skip-ink support
• Update autoprefixer.js with new dependencies
• Release 9.4.4 version
• Try to fix Bundler issue with Travis CI
• Try to fix Ruby 2.3 issue
• Fix Travis CI config
• Update Ruby for Travis CI
• Update autoprefixer.js with -ms-writing-mode fix and warning typo
• Release 9.4.3 version
• Update autoprefixer.js with extra warning
• Typo
• Release 9.4.2 version
• Update autoprefixer.js with warning fix
• Release 9.4.1 version
• Update autoprefixer.js with Grid prefix fix
• Fix typo (#151)
• Release 9.4 version
• Update autoprefixer.js with Grid Autoplacement for IE
• Release 9.3.1 version
• Update autoprefixer.js with Grid fix
• Release 9.3 version
• Update autoprefixer.js with place-self
• Fix links syntax in docs
• Add compatibility information on the README (#148)

↗️ ffi (indirect, 1.9.25 → 1.10.0) · Repo · Changelog

Release Notes

1.10.0 (from changelog)

Added:

• Add /opt/local/lib/ to ffi's fallback library search path. #638
• Add binary gem support for ruby-2.6 on Windows
• Add FreeBSD on AArch64 and ARM support. #644
• Add FFI::LastError.winapi_error on Windows native or Cygwin. #633

Changed:

• Update to rake-compiler-dock-0.7.0
• Use 64-bit inodes on FreeBSD >= 12. #644
• Switch time_t and suseconds_t types to long on FreeBSD. #627
• Make register_t long_long on 64-bit FreeBSD. #644
• Fix Pointer#write_array_of_type #637

Removed:

• Drop binary gem support for ruby-2.0 and 2.1 on Windows

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

• Bump VERSION to 1.10.0
• Update CHANGELOG
• Merge pull request #633 from graywolf/add_win_error
• Merge pull request #637 from ytaka/ytaka
• Merge pull request #655 from 4ndv/master
• Merge branch 'master' of https://github.com/meanphil/ffi into meanphil-master
• Use local variable instead of constant
• Merge branch 'master' of https://github.com/myfreeweb/ffi into myfreeweb-master
• Remove rubinius, since it seems to be no longer available on Travis-CI
• Travis-CI: Remove old rubies and update the rest
• Appveyor: Replace deprecated gem install options
• Enable gem:windows on JRuby and avoid extra downloads while cross build
• Update rake-compiler-dock to add binary gem support for ruby-2.6
• Remove deprecated gemspec option has_rdoc
• Replaced :get_uint8 with :read_uint8 in Pointer#read_array_of_type documentation, fixes #266
• Add spec for Pointer#write_array_of_type
• Fix Pointer#write_array_of_type
• Make register_t long_long on 64-bit FreeBSD
• Add FreeBSD on AArch64 and ARM support
• Use 64-bit inodes on FreeBSD >= 12
• adding MacPorts,Fink,etc search path in /opt/local/lib (#638)
• Add reference to CVE-2018-1000201 [ci skip]

↗️ popper_js (indirect, 1.14.3 → 1.14.5) · Repo

Commits

See the full diff on Github. The new version differs by 1 commit:

• Update to v1.14.5 (#6)

↗️ rb-inotify (indirect, 0.9.10 → 0.10.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sass (indirect, 3.6.0 → 3.7.4) · Repo

Sorry, we couldn't find anything useful about this release.

🆕 sassc (added, 2.0.1)

🆕 sassc-rails (added, 2.1.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)