Rancher Server Setup
- Rancher version: v2.14.1 (or your current version)
- Installation option: Helm Chart
Describe the bug
@rancher/api-ui bundles bootstrap v3.4.1 which has reached End-of-Life and will not receive any security patches. This version is flagged by dependency scanners (Snyk, Trivy) with the following CVEs:
- CVE-2025-1647 (Low) – XSS via DOM clobbering in Tooltip/Popover components
- CVE-2024-6485 (Medium) – XSS via
data-loading-text attribute in Button component
Bootstrap 3 EoL reference: https://blog.getbootstrap.com/2019/07/24/lts-plan/
To Reproduce
Run a dependency audit:
Bootstrap 3.4.1 CVEs will be listed.
Result
CVEs are reported against bootstrap@3.4.1 bundled in @rancher/api-ui.
Expected Result
Bootstrap is bumped to a supported version (>=4.6.x or 5.3.x) so known CVEs are no longer flagged by security scanners.
Additional context
Rancher Server Setup
Describe the bug
@rancher/api-uibundles bootstrap v3.4.1 which has reached End-of-Life and will not receive any security patches. This version is flagged by dependency scanners (Snyk, Trivy) with the following CVEs:data-loading-textattribute in Button componentBootstrap 3 EoL reference: https://blog.getbootstrap.com/2019/07/24/lts-plan/
To Reproduce
Run a dependency audit:
Bootstrap 3.4.1 CVEs will be listed.
Result
CVEs are reported against
bootstrap@3.4.1bundled in@rancher/api-ui.Expected Result
Bootstrap is bumped to a supported version (
>=4.6.xor5.3.x) so known CVEs are no longer flagged by security scanners.Additional context