🚨 [security] Upgrade select2: 3.5.1 → 4.0.13 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ select2 (3.5.1 → 4.0.13) · Repo · Changelog

Security Advisories 🚨

🚨 Improper Neutralization of Input During Web Page Generation in Select2

In Select2 through 4.0.5, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data.

Release Notes

4.0.13

New features / improvements

• Trigger input event before change events (#4649)
• Feed back the keypress code that was responsible for the 'close' event (#5513)
• Only trigger selection:update once on DOM change events (#5734)

Bug fixes

• Prevent opening of disabled elements (#5751)

Documentation

• Fix "edit this page" links in docs (#5689)

Miscellaneous

• Registered Select2 on Open Collective (#5700, #5721, #5741)

---

Select2 is a looking for sponsors to keep development active. Interested in seeing Select2 continue to be developed? Sponsor @kevin-brown (and by extension, Select2) on GitHub Sponsors or sponsor Select2 on Open Collective!

4.0.12

Bug fixes

• Fixes incorrect offset when using the Shadow DOM and styling the <html> element (#5682)

Miscellaneous

• Replace cdnjs with jsDelivr in the documentation (#5687)
• Fix incorrect provider for the automated NPM deployment (#5686)

---

Select2 is a looking for sponsors to keep development active. Interested in seeing Select2 continue to be developed? Sponsor @kevin-brown (and by extension, Select2) on GitHub Sponsors!

4.0.11

Bug fixes

• Fixes jQuery migrate error when getting offset when dropdownParent not in document (#5584)

Miscellaneous

• Enable GitHub actions for CI (#5591)
• Documentation has been moved into and is deployed from the code repository (#5638)
• Remove Travis CI integration (#5665)

4.0.10

New features / improvements

• Support passing in a selector for dropdownParent option (#5622)

Bug fixes

• Fix bug where dropdowns pointing upwards were incorrectly positioned (#5621)

4.0.9

New features / improvements

• Mirror disabled state through aria-disabled on selection (#5579)
• Select2 now clears the internal ID when it is destroyed (#5587)
• Set the main ARIA 1.1 roles and properties for comboboxes (#5582)
• The language option now has a clearly defined fallback chain (#5602)

Bug fixes

• Do not propagate click when search box is not empty (#5580)
• Fix maximumSelectionLength being ignored by closeOnSelect (#5581)
• Fix generated options not receiving result IDs (#5586)
• Remove selection title attribute if text is empty (#5589)
• Reposition dropdown whenever items are selected (#5590)
• Fix dropdown positioning when displayed above with messages (#5592)
• Fix search box expanding width of container (#5595)
• allowClear no longer shifts selections to a new line (#5603)

Translations

• Fix error in German translations (#5604)

Miscellaneous

• Updated development grunt version so it no longer shows as vulnerable (#5597)
• Remove unused variables (#5554)

4.0.8

New features / improvements

• Test against and fix compatibility with jQuery 3.4.1 (#5531)
• Results respect disabled state of <option> (#5560)
• Add computedstyle option for calculating the width (#5559)

Bug fixes

• Fix tag creation being broken in 4.0.7 (#5558)
• Fix infinite scroll when the scrollbar is not visible (#5575)
• Revert change to focusing behaviour in 4.0.6 (#5576)

Translations

• Fix wording in French translations (#5521)

Miscellaneous

• Update grunt-contrib-qunit to latest version (#5530)
• Removed unused .select2-selection__placeholder CSS definitions for multiple selects (#5508)
• Remove deprecated jQuery shorthand (#5564)

4.0.7

New features/improvements

• Do not close on select if Ctrl or Meta (Cmd) keys being held (#5222)

Bug fixes

• Fixed issue where single select boxes would automatically reopen when they were closed (#5490, #5492)

Miscellaneous

• Move almond and jquery-mousewheel to devDependencies (#5489)

4.0.6

New features/improvements

• Add style property to package.json (#5019)
• Implement clear and clearing events (#5058)
• Add scrollAfterSelect option (#5150)
• Add missing diacritics (#4118, #4337, #5464)

Bug fixes

• Fix up arrow error when there are no options in dropdown (#5127)
• Add ; before beginning of factory wrapper (#5089)
• Fix IE11 issue with select losing focus after selecting an item (#4860)
• Clear tooltip from select2-selection__rendered when selection is cleared (#4640, #4746)
• Fix keyboard not closing when closing dropdown on iOS 10 (#4680)
• User-defined types not normalized properly when passed in as data (#4632)
• Perform deep merge for Defaults.set() (#4364)
• Fix "the results could not be loaded" displaying during AJAX request (#4356)
• Cache objects in Utils.__cache instead of using $.data (#4346, #5486)
• Removing the double event binding registration of selection:update (#4306)

Accessibility

• Improve .select2-hidden-accessible (#4908)
• Add role and aria-readonly attributes to single selection dropdown value (#4881)

Translations

• Add Turkmen translations (tk) (#5125)
• Fix error in French translations (#5122)
• Add Albanian translation (sq) (#5199)
• Add Georgian translation (ka) (#5179)
• Add Nepali translation (ne) (#5295)
• Add Bangla translation (bn) (#5248)
• Add removeAllItems translation for clear "x" title (#5291)
• Fix wording in Vietnamese translations (#5387)
• Fix error in Russian translation (#5401)

Miscellaneous

• Remove duplicate CSS selector in classic theme (#5115)

4.0.6-rc.1

Bug fixes

• Fix up arrow error when there are no options in dropdown (#5127)
• Fix IE11 issue with select losing focus after selecting an item (#4860)
• Reinstate backwards-compatible support for data('select2') (#4014)

Translations

• Add Turkmen translations (tk) (#5125)
• Fix error in French translations (#5122)

Miscellaneous

• Remove duplicate CSS selector in classic theme (#5115)

4.0.5

Bug fixes

• Replace autocapitalize=off with autocapitalize=none (#4994)

Translations

• Vietnamese: remove an unnecessary quote mark (#5059)
• Czech: Add missing commas and periods (#5052)
• Spanish: Update the 'errorLoading' message (#5032)
• Fix typo in Romanian (#5005)
• Improve French translation (#4988)
• Add Pashto translation (ps) (#4960)
• Add translations for lower and upper Sorbian (dsb and hsb) (#4949)
• Updates to Slovak (#4915)
• Fixed Norwegian inputTooShort message (#4817, 4896)
• Add Afrikaans translation (af) (#4850)
• Add Bosnian translation (bs) (#4504)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[commit-lint]

Contributors

depfu[bot]

Commit-Lint commands

You can trigger Commit-Lint actions by commenting on this PR:

• @Commit-Lint merge patch will merge dependabot PR on "patch" versions (X.X.Y - Y change)
• @Commit-Lint merge minor will merge dependabot PR on "minor" versions (X.Y.Y - Y change)
• @Commit-Lint merge major will merge dependabot PR on "major" versions (Y.Y.Y - Y change)
• @Commit-Lint merge disable will desactivate merge dependabot PR
• @Commit-Lint review will approve dependabot PR
• @Commit-Lint stop review will stop approve dependabot PR