Detected security vulnerabilities in underlying bootstrap dependency

[acn-harryseong]

Prerequisites

• I have searched for duplicate or closed issues
• I have read the contributing guidelines

Describe the issue

React projects using @govtechsg/sgds-web-component latest version 2.1.2 were scanned and found to have the following 2 vulnerabilities related to the bootstrap dependency within the @govtechsg/sgds-web-component library:

1. https://nvd.nist.gov/vuln/detail/CVE-2024-6531
2. https://nvd.nist.gov/vuln/detail/CVE-2024-6484

According to SonaType NexusIQ, there is no non-vulnerable upgrade path currently, but this is an FYI in case there is an upgrade path to mitigate these detected vulnerabilities in the future for the underlying bootstrap dependency.

What operating system(s) are you seeing the problem on?

Windows

What browser(s) are you seeing the problem on?

Chrome

Describe your frontend stack. What version of React and @govtechsg/sgds-web-component are you using? CSR or SSR?

React 18.3.x, @govtechsg/sgds-web-component 2.1.2, CSR

[clukhei]

@acn-harryseong We are currently using Snyk to detect vulnerabilities and it does not report any vulnerabilities for bootstrap version 5.1.3 that we are using. Did the SonaType NexusIQ specify the version of bootstrap that had 2 vulnerabilites? https://security.snyk.io/package/npm/bootstrap