Update dependencies and base PHP requirement to 8.2

[Msprg]

Summary by CodeRabbit

• New Features

  • Added HTML sanitization for tooltips and popovers.
  • New CSS utility to remove row gutters.

• Bug Fixes

  • Improved disabled-state accessibility for form controls.

• Chores

  • Bumped runtime requirements: PHP 8.2+ and added LDAP, mbstring, mysqli, pcntl, SSH2 extensions.
  • Updated Apache and database minimum versions.
  • Upgraded Bootstrap and jQuery; updated example container image.
  • Fixed README header typo and CI checkout action version.

[coderabbitai]

Warning

Rate limit exceeded

@Msprg has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 44 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

This PR upgrades infrastructure and dependencies (GitHub Actions checkout, MariaDB image), raises PHP and DB requirements, adds PHP extension requirements, updates jQuery and Bootstrap to newer versions, and adds HTML sanitization for Bootstrap tooltips/popovers plus widespread CSS formatting normalizations.

Changes

Cohort / File(s)	Summary
CI & Containers .github/workflows/docker.yml, docker-compose.yml.example	Bumped checkout action from actions/checkout@v4 → @v6; updated MariaDB image tag from mariadb:lts → mariadb:11.8.5.
Docs & Environment README.md, AGENTS.md	Updated system requirements: PHP 8.2+, Apache 2.4+, MySQL/Percona/MariaDB minimums (MySQL 8.0+, Percona 8.0+, MariaDB 10.11+); fixed wording and added PHP SSH2/GMP notes.
PHP Runtime / Composer composer.json	Added runtime requirement "php": "^8.2" and PHP extensions: ext-ldap, ext-mbstring, ext-mysqli, ext-pcntl, ext-ssh2.
Bootstrap CSS public_html/bootstrap/css/bootstrap.css, public_html/bootstrap/css/bootstrap-theme.css, public_html/bootstrap/css/bootstrap-theme.min.css	Upgraded headers to v3.4.1 and normalized CSS values (explicit rgba alpha decimals, full hex codes), added .row-no-gutters, refined disabled cursors, and other formatting/consistency edits across many rules.
Bootstrap JS public_html/bootstrap/js/bootstrap.js	Bumped component versions to 3.4.1; added Tooltip.sanitizeHtml and defaults (sanitize, sanitizeFn, whiteList); integrated DOM-based sanitization into Tooltip/Popover content/title handling; changed some selector resolution to document-scoped finds.
Templates / Assets templates/base.php, public_html/...	Replaced jQuery 3.2.1 → 3.7.1 in base template.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Tooltip
    participant Sanitizer
    participant DOM
    User->>Tooltip: trigger (hover/click) with content/html option
    Tooltip->>Tooltip: getOptions() (read sanitize, sanitizeFn, whiteList)
    Tooltip->>Sanitizer: sanitizeHtml(unsafeHtml, whiteList, sanitizeFn)
    Sanitizer->>Sanitizer: apply whitelist & optional sanitizeFn
    Sanitizer-->>Tooltip: safeHtml
    Tooltip->>DOM: setContent(safeHtml) / render
    DOM-->>User: display tooltip/popover

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰✨ I nibble bytes and tidy seams,
Bootstrap brightened, jQuery beams.
Tooltips scrubbed with careful art,
PHP grows strong — a brand new start.
Hops of joy for every part!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 37.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main objective of the PR: updating dependencies and establishing PHP 8.2 as the minimum required version, which aligns with the widespread changes across composer.json, README.md, and multiple other configuration files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch upgrades

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

public_html/bootstrap/js/bootstrap.js (1)

202-224: ⚠️ Potential issue | 🟠 Major

Known XSS vector (CVE-2024-6485): Button setState does not sanitize HTML content.

Line 205 sets val = 'html' for non-input elements, and line 214 injects data[state] directly via $el.html(...) without sanitization. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.

If any of your button data-*-text attributes (e.g., data-loading-text, data-complete-text) include user-controlled content, this is exploitable. If all such values are hardcoded in templates, the practical risk is low. Consider adding a local patch to sanitize here:

🛡️ Proposed local patch

     // push to event loop to allow forms to submit
     setTimeout($.proxy(function () {
-      $el[val](data[state] == null ? this.options[state] : data[state])
+      var stateVal = data[state] == null ? this.options[state] : data[state]
+      if (val === 'html' && this.options && typeof sanitizeHtml === 'function') {
+        stateVal = sanitizeHtml(stateVal, DefaultWhitelist, null)
+      }
+      $el[val](stateVal)

Note: sanitizeHtml is scoped within the Tooltip IIFE and not accessible from the Button IIFE. A real fix would require either extracting the sanitizer to a shared scope or duplicating the call. This is one reason to consider the Bootstrap 5 migration path.

🤖 Fix all issues with AI agents

In `@composer.json`:
- Around line 6-11: The composer.json now specifies "php": "^8.2" which
conflicts with the documented coding guideline line stating "PHP 5.6+ is the
minimum supported version"; either update the coding guideline/readme to state
PHP 8.2+ as the new minimum (search for the literal "PHP 5.6+ is the minimum
supported version" in the docs and replace it with "PHP 8.2+"), or revert the
composer.json php constraint back to the previous minimum (e.g., "^5.6 || ^7.0
|| ^8.0" or the project’s prior value) so both the composer.json entry and the
coding guideline remain consistent; keep the extension requirements (ext-ldap,
ext-mbstring, ext-mysqli, ext-pcntl, ext-ssh2) as-is.

In `@public_html/bootstrap/js/bootstrap.js`:
- Around line 1-5: The project currently includes Bootstrap v3.4.1 (the
"Bootstrap v3.4.1" header in public_html/bootstrap/js/bootstrap.js) which is EOL
and contains unpatched XSS CVEs (notably impacting Carousel, Button, Tooltip,
Popover); replace this by planning and executing a migration to Bootstrap 5:
update the dependency to Bootstrap 5 compiled JS and CSS, remove the old
bootstrap.js and bootstrap.css, and update HTML markup and JS initialisation for
changed classes/attributes (Carousel, Button, Tooltip, Popover APIs/data-*
attributes), adjust any custom code that depended on v3-specific
utilities/plugins, run the UI regression tests and security scan, and document
the migration steps and any compatibility workarounds for references to
"Bootstrap v3.4.1" so the vulnerable assets are fully retired.

In `@README.md`:
- Line 28: Fix the typo inconsistency by replacing the incorrect header text
"Baremeteal" with "Baremetal" where it still appears (the README header that
currently reads "Baremeteal requirements (old, deprecated, use docker if
possible)"); ensure the header text matches the corrected form used earlier
("Baremetal requirements (old, deprecated, use docker if possible)").

🧹 Nitpick comments (1)

docker-compose.yml.example (1)

25-25: Consider using mariadb:11.8 or mariadb:lts instead of the patch-pinned version for this example config.

While mariadb:11.8.5 exists and is valid, the immutable patch tag will become outdated as the 11.8 series receives updates. Using 11.8 (or lts for the current LTS line) pins to the minor version while automatically receiving security and patch updates within 11.8.x—better suited for example configurations that should remain maintainable over time.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

PHP 8.2+ requirement contradicts the coding guideline for **/*.php which states "PHP 5.6+ is the minimum supported version".

The composer.json now requires ^8.2, which is a breaking change relative to the documented coding guideline. If this is intentional (as the README update and PR title suggest), the coding guideline should be updated to reflect PHP 8.2+ as the new minimum. Otherwise, any PHP 5.6/7.x users would be broken.

The extension requirements (ext-ldap, ext-mbstring, ext-mysqli, ext-pcntl, ext-ssh2) are sensible and align with the README updates. As per coding guidelines, "PHP 5.6+ is the minimum supported version".

🤖 Prompt for AI Agents

In `@composer.json` around lines 6 - 11, The composer.json now specifies "php":
"^8.2" which conflicts with the documented coding guideline line stating "PHP
5.6+ is the minimum supported version"; either update the coding
guideline/readme to state PHP 8.2+ as the new minimum (search for the literal
"PHP 5.6+ is the minimum supported version" in the docs and replace it with "PHP
8.2+"), or revert the composer.json php constraint back to the previous minimum
(e.g., "^5.6 || ^7.0 || ^8.0" or the project’s prior value) so both the
composer.json entry and the coding guideline remain consistent; keep the
extension requirements (ext-ldap, ext-mbstring, ext-mysqli, ext-pcntl, ext-ssh2)
as-is.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Bootstrap 3.4.1 is EOL with known unpatched CVEs — plan migration to Bootstrap 5.

This upgrade from 3.3.7 to 3.4.1 is a positive step as it patches several older XSS vulnerabilities (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042, CVE-2019-8331). However, Bootstrap 3 reached end of life July 24, 2019, and neither version receives new features, updates, or security fixes.

Critically, CVE-2024-6484 and CVE-2024-6485 impact Bootstrap 3 and are unpatched in 3.4.1:

• CVE-2024-6484: XSS via the carousel component
• CVE-2024-6485: a cross-site scripting (XSS) vulnerability within the Bootstrap 3 Button component
• CVE-2025-1647: vulnerable to Cross-site Scripting (XSS) via the Tooltip and Popover components

Consider planning a migration to Bootstrap 5 as a follow-up.

🤖 Prompt for AI Agents

In `@public_html/bootstrap/js/bootstrap.js` around lines 1 - 5, The project
currently includes Bootstrap v3.4.1 (the "Bootstrap v3.4.1" header in
public_html/bootstrap/js/bootstrap.js) which is EOL and contains unpatched XSS
CVEs (notably impacting Carousel, Button, Tooltip, Popover); replace this by
planning and executing a migration to Bootstrap 5: update the dependency to
Bootstrap 5 compiled JS and CSS, remove the old bootstrap.js and bootstrap.css,
and update HTML markup and JS initialisation for changed classes/attributes
(Carousel, Button, Tooltip, Popover APIs/data-* attributes), adjust any custom
code that depended on v3-specific utilities/plugins, run the UI regression tests
and security scan, and document the migration steps and any compatibility
workarounds for references to "Bootstrap v3.4.1" so the vulnerable assets are
fully retired.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Typo inconsistency: Line 28 corrected to "Baremetal" but Line 60 still says "Baremeteal".

Line 60 retains the old typo Baremeteal while Line 28 has been corrected to Baremetal.

Proposed fix

-<summary>Baremeteal install (old, deprecated, use docker if possible)</summary>
+<summary>Baremetal install (old, deprecated, use docker if possible)</summary>

🤖 Prompt for AI Agents

In `@README.md` at line 28, Fix the typo inconsistency by replacing the incorrect
header text "Baremeteal" with "Baremetal" where it still appears (the README
header that currently reads "Baremeteal requirements (old, deprecated, use
docker if possible)"); ensure the header text matches the corrected form used
earlier ("Baremetal requirements (old, deprecated, use docker if possible)").

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@public_html/bootstrap/js/bootstrap.js`:
- Around line 214-223: The branch using sanitizeHtml and DefaultWhitelist in the
Button state-setting code is dead because those symbols are defined inside the
Tooltip IIFE and not visible to the Button IIFE; either hoist sanitizeHtml and
DefaultWhitelist into a shared scope (move their definitions out of the Tooltip
IIFE or attach them to a shared object like window or the jQuery namespace) so
the Button IIFE can call sanitizeHtml(stateVal, DefaultWhitelist, ...) before
falling back, or remove the unreachable sanitizeHtml branch entirely so only the
HTML-escape fallback remains; locate the state handling block that computes
stateVal and updates $el[val] and update how sanitizeHtml/DefaultWhitelist are
exported/imported accordingly.