Originally published on endoflife.ai.
Bootstrap is one of the most widely deployed front-end frameworks on the web — and most of that deployment is on versions that are end of life. Bootstrap 5 is the only maintained line (Risk Score 20, Low). Bootstrap 4 reached end of life on December 31, 2022, Bootstrap 3 back in July 2019, and Bootstrap 2 over a decade ago — yet millions of production sites still run 3 and 4.
And Bootstrap carries a risk most CSS frameworks don't: Bootstrap 3 and 4 depend on jQuery, so running them means running a second end-of-life dependency.
Bootstrap version EOL schedule
| Version | End of Life | Status | Risk Score |
|---|---|---|---|
| Bootstrap 2 | Aug 18, 2013 | EOL | 60 |
| Bootstrap 3 | Jul 23, 2019 | EOL | 60 |
| Bootstrap 4 | Dec 31, 2022 | EOL | 60 |
| Bootstrap 5 (current) | Maintained | Supported | 20 |
The real risk of EOL Bootstrap
Bootstrap is mostly CSS, so how dangerous is an EOL version really? Less acutely dangerous than an EOL database or runtime, but not zero — and concentrated in three places:
-
The JavaScript components. Tooltips, popovers, modals, the data-attribute API process input and write to the DOM. Older Bootstrap had real XSS vulnerabilities in exactly these (the
data-*sanitizer in particular), patched in later 3.x/4.x point releases. Pinned to an old minor? You may be missing those fixes, with no more coming. - The frozen ecosystem. EOL Bootstrap locks you to themes, plugins, and build tooling that are themselves unmaintained — and, for 3/4, to a specific old jQuery.
- Browser drift. Layout/behaviour bugs accumulate as browsers evolve, never to be fixed upstream.
The jQuery problem in Bootstrap 3 & 4
Bootstrap 3 and 4 require jQuery — Bootstrap 5 removed it entirely. So an EOL Bootstrap 3/4 site is almost always also shipping jQuery, usually an old one. Any jQuery below 3.5.0 carries known XSS (CVE-2020-11022/11023). "We're just on old Bootstrap" frequently means "we're also serving vulnerable jQuery" — two EOL dependencies for the price of one.
Upgrading to Bootstrap 5 isn't only a CSS modernisation — it removes the jQuery dependency (Bootstrap 5's JS is vanilla), eliminating an entire class of EOL exposure in one move. See the jQuery EOL guide for which jQuery versions are dangerous.
Bootstrap 5 — the maintained line
Bootstrap 5 is the only line still receiving updates (Risk Score 20). It dropped jQuery for vanilla JS, added a CSS custom-properties layer, expanded the utility API, and added built-in RTL support. Moving Bootstrap 4 → 5 also sheds the jQuery liability — the rare upgrade that reduces your dependency count rather than growing it.
Migrating to Bootstrap 5
-
Confirm which Bootstrap (and jQuery) you ship. Check your bundle, not your
package.json— old Bootstrap hides in vendored CSS and CMS themes. -
Update the class names.
ml-*/mr-*→ms-*/me-*,.no-gutters→.g-0,.custom-*form classes folded into.form-*, anddata-*gained abs-prefix (data-bs-toggle). Mostly find-and-replace. -
Remove jQuery-dependent JavaScript. Replace
$('...').modal()-style calls with the Bootstrap 5 JS API; audit your own code so you can drop jQuery entirely. - Re-test interactive components and responsive layouts. Modals, dropdowns, tooltips, the grid, custom themes. Note: Bootstrap 5 dropped IE support.
- Adopt the new layers as you go. Lean on CSS custom properties and the utility API to retire bespoke overrides.
Full guide and live data at endoflife.ai. Bootstrap rarely travels alone — scan your whole front-end free with the Stack Scanner.
Top comments (0)