Hello everyone,

Thanks for the great distribution.

There was recently a Bootstrap security update
https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1

It would be great to update the Bootstrap version to 3.4.1 in the next Open Atrium release.

The main annoyance at the moment is Github security vulnerability warnings are picking up on the out-of-date versions.

I see reference to Bootstrap in /profiles/openatrium/libraries/bootstrap/, and as part of the oa_radix and radix themes in /profiles/openatrium/themes/

Edit: I've opened a similar issue for the Radix project
https://www.drupal.org/project/radix/issues/3041741

CommentFileSizeAuthor
#6 oa_basetheme_bootstrap_version_update-3041712-6.patch1.31 KBleft

Comments

left created an issue. See original summary.

left’s picture

left
she/her
commented
Issue summary: View changes
left’s picture

left
she/her
commented
Issue summary: View changes
mpotter’s picture

mpotter commented

Bootstrap in Atrium is a bit complicated. The Javascript for bootstrap is brought in via the libraries/bootstrap and the bootstrap_library module. So updating that would be relatively easy. The CSS for bootstrap is compiled into oa_theme and oa_basetheme as part of the SCSS compilation process. So to change the css is a lot more effort to recompile the theme.

I'd be happy to accept patches to fix this, but maybe somebody with more info on the Bootstrap security issue can help. Unfortunately it's not just a simple matter of "update the bootstrap version number".

Also, if bootstrap has done more changes than just the security update since it was added to Atrium, there is a chance for regression of the theme. So I'd prefer just updating whatever is needed for the security.

left’s picture

left
she/her
commented

Thanks @mpotter.

As far as I know, the CSS didn't change in the latest security release, but I will confirm this.

I'll look into the details, and submit a patch.

left’s picture

left
she/her
commented
StatusFileSize
new oa_basetheme_bootstrap_version_update-3041712-6.patch1.31 KB

It looks like OA version is using Bootstrap 3.1.1 and I imagine there have been many changes since.

Also, 3.4.1 needs jQuery 1.9.

I'm attaching a patch for oa_basetheme that I hope can be useful for testing.

In bower.json I've increased the version number of the bootstrap-sass package.
And in template.php I've changed the Bootstrap CDN version number.

I am also submitting a similar patch to radix

left’s picture

left
she/her
commented
Status: Active » Needs review
mpotter’s picture

mpotter commented

Definitely need some big Atrium sites to test this patch and post feedback here on whether there are regressions from such a large change in Bootstrap and jQuery.

mcorrigan’s picture

mcorrigan commented

We maintain a platform of ~20 private portals running on the latest version of Atrium and needed to upgrade Bootstrap to satisfy a new client's IT security review. We upgraded the Bootstrap library to 3.4.1 and jQuery to 1.10. Our sites have lots of overrides and a custom theme, but for what it's worth, the only issue we came across after regression testing was a conflict with the wysiwyg ckeditor setting. We don't use it anywhere, so we just removed it. Hope this helps!

mpotter’s picture

mpotter commented
Status: Needs review » Fixed

Did some work on this one. Applied the patch and then rebuilt the theme. It seems to be fine. Also updated oa_radix theme, even though it's deprecated.

Committed f2feea4 to oa_basetheme.
Committed 87b3b7 to oa_theme
Committed 05a61d to oa_radix.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.