Foreman Javascript Library Versions

jakebr · March 9, 2026, 7:56pm

Hello Foreman Development Community, I have a question regarding versions of some bundled javascript libraries specifically Bootstrap and lodash. Foreman appears to currently be using version 3.4.1 of bootstrap and version 4.17.21 of lodash both of which contain known vulnerabilities

I was curious if there are plans to package updated versions for either or both of these libraries in future Foreman/Katello releases?

iballou · March 9, 2026, 10:01pm

I’m not sure about lodash, but bootstrap I’m pretty sure is due to our use of Patternfly v3. We’re working on getting our UI up to date as soon as possible to allow us to use newer libraries. Our Angular stack in Katello is also old and creates a similar problem. This is why new UI pages have been rolling out.
The Red Hat repositories page is one of the main ones using PF3 that I know of. We’ve begun working a redesign to potentially unify that page with the products page.
Anyway, I can’t say for sure exactly what release will see those versions gone, but I anticipate it should be soon .

ekohl · March 9, 2026, 10:21pm

Correct that bootstrap is due to PatternFly v3, see GitHub - patternfly/patternfly-3: This repo contains the HTML, CSS, and JQuery for the PatternFly 3 project. · GitHub

This reference implementation of PatternFly is based on Bootstrap v3.

We’re in the process of upgrading everything to PatternFly v5 (https://v5-archive.patternfly.org/). This in itself isn’t the newest version, but we want to avoid having 3 different versions of the library in a single application.

As a developer, the easiest way to recognize PF3 is imports from patternfly-react, for example:

import { Modal } from 'patternfly-react';

While PF5 will be @patternfly/react-*:

import { Modal } from '@patternfly/react-core';

At this point I think the plugins are the best places to help with this.

maximilian · March 10, 2026, 7:22am

Hi @jakebr

We have recently upgraded lodash in foreman-packaging:

Rebuild nodejs-formik with updated vendored dependencies by evgeni · Pull Request #13139 · theforeman/foreman-packaging · GitHub
Rebuild @patternfly/react-charts to update vendored dependencies by evgeni · Pull Request #13140 · theforeman/foreman-packaging · GitHub
Rebuild @openshift/dynamic-plugin-sdk to update vendored deps by evgeni · Pull Request #13141 · theforeman/foreman-packaging · GitHub
Rebuild nodejs-patternfly-react-extensions to update vendored deps by evgeni · Pull Request #13142 · theforeman/foreman-packaging · GitHub
Update nodejs-patternfly-react to update vendored deps by evgeni · Pull Request #13143 · theforeman/foreman-packaging · GitHub
Rebuild nodejs-yup to update vendored deps by evgeni · Pull Request #13144 · theforeman/foreman-packaging · GitHub

You can find more information here: Fixes # 39081 - Bump version lodash to 4.17.23 by maximiliankolb · Pull Request #13038 · theforeman/foreman-packaging · GitHub. This means that Foreman nightly is no longer affected by CVE-2025-13465.

ekohl · March 10, 2026, 12:26pm

@MariaAga wrote up a more elaborate version of this: