Security: Update Bootstrap version

[hedsnz]

The version of Bootstrap bundled in Leaflet (https://github.com/rstudio/leaflet/blob/main/inst/htmlwidgets/plugins/Leaflet.awesome-markers/bootstrap.min.js) is 3.3.7. This version has several associated CVEs related to cross-site scripting vulnerabilities:

• CVE-2018-14040
• CVE-2018-14042
• CVE-2018-20676
• CVE-2018-20677
• CVE-2019-8331

The minimum version of Bootstrap without these vulnerabilities is 4.3.1. Would you consider updating the version of Bootstrap packaged in Leaflet?

Happy to contribute a PR if so.

[jcheng5]

We only use Bootstrap for glyphicons, it would be great if we could drop it. But glyphicons is not freely available except as packaged with Bootstrap 3. This gist might be a way out, mapping glyphicons to font-awesome.

[gadenbuie]

There are two more things to note:

1. The version of Bootstrap that's bundled in leaflet is not included by default in all leaflet maps. Instead, it is only included in maps that use leaflet::addAwesomeMarkers(), specifically with a glyphicon for icon.

2. If the leaflet map is embedded in an R Markdown or Quarto document or Shiny app that uses a later version of Bootstrap, then leaflet's embedded version will be ignored and the newer version of Bootstrap is used. In other cases, e.g. standalone leaflet maps, you can use htmltools::suppressDependencies() to suppress the Bootstrap bundle entirely.

[hedsnz]

Thanks for the comments -- good to know that there is some mitigation, and that it's only used in specific circumstances.

I'm happy to provide a PR that either updates to the latest version of Bootstrap, or manually maps glyphicons to font-awesome equivalents (and soft deprecating glyphicons/Bootstrap). Please let me know if either of those options would be accepted.

[hedsnz]

@jcheng5 following up on the above

[jcheng5]

So sorry @hedsnz. At this point I would take either an upgrade to Bootstrap 3.4.1 or the mapping to font-awesome. Thank you for offering.