Moving to Bootstrap 5

Looking at the Haiku website files, it seems we are still using Bootstrap 3.3.7 - the latest version is Bootstrap 5.0.1!

I tried swapping out the Bootstrap 3 bootstrap.min.css file with a new Bootstrap 5 - surprisingly 80% of the site is good to go, but some bugs need to be fixed - for starters, the navbar defaults to mobile mode for some reason, and the “Activity” tabs have all lost their styling and shape. Additionally, the sidebar that appears on the left of news items and blogposts now shifts to the right.

Would someone be willing to help fix these issues once I push the changes to GitHub?

Thr darkmode overwrites colors from bootstrap.css, so you likely need to fix that too if you update it.

Is there any pressing reason to update? I thought it was only a css base file.

It looks like 5.0 just came out last month. Maybe we dont rush a .0 release?

We could look at moving to the 4.6.x release as an alternative.

Does this fix any specific bugs or problems with the website rendering? If not, I don’t see a reason to update. Newer is not necessarily better?

There is at least this CVE (and others). It would be fixed by upgrading to a newer 3.4.x at a minimum.

I dont know anything about stuff like this, but a CVE in a static website? What does that means?

CVE stands for Common Vulnerabilities and Exposures. Basically a CVE number correlates to a specific security vulnerability in a piece of software. In this case the current Bootstrap version we are running has some security holes and needs to be patched at some point.

I don’t think Haiku uses that.

Uses what? The link didnt work.

Works fine for me, it is a querry for the attribute data-template which the CVE is about.

Correct, but it has a security vulnerability was my point. There are also a few other CVEs that affect our current release.
So in the end, yes we should look at upgrading. Either to a recent 3.4 or 4.6 release at least.

OK, but could you give a link to the CVE? I still can’t imagine what could happen with a static page, but I never had good imagination. It is just html, right?
EDIT: found the link.

I did above.

I just thought I might try out Bootstrap 5 with the website - of course, if there’s no need to upgrade then that’s fine.

Here are the major differences between Bootstrap 3 and 4:

And between Bootstrap 4 and 5:

Looking at the vulnerability database here, it seems that any version from Bootstrap 4.4.0 does not have any vulnerabilities: bootstrap vulnerabilities | Snyk

So could someone have a look and determine whether we need to upgrade to 5, or is an upgrade to 4.X good for now?

From what I can tell the 4.6.x line has no vulnerabilities so it would be the wisest move from a security perspective.

The security database says so as well - so our options are upgrading to 4.6.X or 5.X

I would say 4.6.x is the route since its been out the longest. Just my opinion though.

Every software has vulnerabilities, there is no reason to expect the new releases to be devoid of them, I don’t see a reason to upgrade the website for CVE’s that don’t affect us, so we should probably check first whether this is the case? At least for the example provided above it seems it doesn’t affect us, thus would not warrant an update.

The CVE recommends updating to 3.4.1 or later, so maybe we can stay on the same major release and then we don’t need to change as much things in the website?

@PulkoMandy just tested out V3.4.1 - the last version of Bootstrap 3.X - everything works fine, so I think we can upgrade straightaway to this version for now.