GitHub Dependabot Flags Bootstrap Security Vulnerability: XSS Risk in Scrollspy Data-Target

A GitHub Dependabot pull request has flagged a moderate-severity security vulnerability in the widely-used Bootstrap framework, urging an upgrade from version 3.3.6 to 4.1.2. The automated alert explicitly states the update includes security fixes, directly linking to a documented cross-site scripting (XSS) flaw. This vulnerability, present in Bootstrap versions prior to 3.4.0, is exploitable through the `data-target` property of the scrollspy component, posing a direct risk to any web application using the affected library.

The alert, sourced from the GitHub Security Advisory Database, details that the issue is similar to a previously disclosed CVE-2018-14042. The pull request was generated by the now-deactivated Dependabot Preview service, creating a unique administrative artifact. The notification warns that closing the request will not resolve the issue; Dependabot will simply recreate it during its next update cycle, forcing the security matter to remain open until the dependency is upgraded.

This automated security nudge places immediate operational pressure on repository maintainers. The persistence of the alert highlights a critical junction in software supply chain hygiene: ignoring or manually dismissing such warnings leaves applications exposed to a known XSS vector. For any project still on Bootstrap 3.x, this serves as a mandatory checkpoint, signaling that continued use of outdated versions carries tangible security liabilities that are now being automatically surfaced and tracked within the development workflow itself.