Upgrade Trix to 1.3.2 to fix [CVE-2024-34341][1]

[1]: GHSA-qjqp-xr96-cj99
rails · May 16, 2024 · 07e6c88 · 07e6c88
1 parent 506462a
commit 07e6c88
Show file tree

Hide file tree

Showing 8 changed files with 5,228 additions and 10,876 deletions.
diff --git a/Gemfile b/Gemfile
@@ -29,7 +29,7 @@ gem "stimulus-rails"
 gem "turbo-rails"
 gem "jsbundling-rails"
 gem "cssbundling-rails"
-gem "importmap-rails"
+gem "importmap-rails", ">= 1.2.3"
 gem "tailwindcss-rails"
 # require: false so bcrypt is loaded only when has_secure_password is used.
 # This is to avoid Active Model (and by extension the entire framework)

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -314,8 +314,9 @@ GEM
     image_processing (1.12.2)
       mini_magick (>= 4.9.5, < 5)
       ruby-vips (>= 2.0.17, < 3)
-    importmap-rails (1.1.5)
+    importmap-rails (2.0.1)
       actionpack (>= 6.0.0)
+      activesupport (>= 6.0.0)
       railties (>= 6.0.0)
     io-console (0.6.0)
     irb (1.6.3)
@@ -526,6 +527,10 @@ GEM
       concurrent-ruby (~> 1.0)
     tailwindcss-rails (2.0.21)
       railties (>= 6.0.0)
+    tailwindcss-rails (2.0.21-x86_64-darwin)
+      railties (>= 6.0.0)
+    tailwindcss-rails (2.0.21-x86_64-linux)
+      railties (>= 6.0.0)
     terser (1.1.13)
       execjs (>= 0.3.0, < 3)
     thin (1.8.1)
@@ -592,7 +597,7 @@ DEPENDENCIES
   google-cloud-storage (~> 1.11)
   hiredis
   image_processing (~> 1.2)
-  importmap-rails
+  importmap-rails (>= 1.2.3)
   jsbundling-rails
   json (>= 2.0.0)
   libxml-ruby

diff --git a/actiontext/CHANGELOG.md b/actiontext/CHANGELOG.md
@@ -1,3 +1,8 @@
+*   Upgrade Trix to 1.3.2 to fix [CVE-2024-34341](https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99).
+
+    *Rafael Mendonça França*
+
+
 ## Rails 7.0.8.1 (February 21, 2024) ##
 
 *   No changes.

diff --git a/actiontext/Rakefile b/actiontext/Rakefile
@@ -18,4 +18,27 @@ Rake::TestTask.new "test:system" do |t|
   t.verbose = true
 end
 
+task :vendor_trix do
+  require "importmap-rails"
+  require "importmap/packager"
+
+  packager = Importmap::Packager.new(vendor_path: "app/assets/javascripts")
+  imports = packager.import("trix@^1.3.2", from: "unpkg")
+  imports.each do |package, url|
+    url.gsub!("esm.min.js", "umd.js")
+    puts %(Vendoring "#{package}" to #{packager.vendor_path}/#{package}.js via download from #{url})
+    packager.download(package, url)
+
+    css_url = url.gsub("umd.js", "css")
+    puts %(Vendoring "#{package}" to #{packager.vendor_path}/#{package}.css via download from #{css_url})
+
+    response = Net::HTTP.get_response(URI(css_url))
+    if response.code == "200"
+      File.open(Pathname.new("app/assets/stylesheets/trix.css"), "w+") do |file|
+        file.write response.body
+      end
+    end
+  end
+end
+
 task default: :test