chore(deps): update dependency @ckeditor/ckeditor5-widget to v27 [security] - autoclosed #15
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
24.0.0
->27.0.0
GitHub Vulnerability Alerts
CVE-2021-21391
Impact
A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0.
Patches
The problem has been recognized and patched. The fix will be available in version 27.0.0.
For more information
Email us at security@cksource.com if you have any questions or comments about this advisory.
Acknowledgements
The CKEditor 5 team would like to thank Yeting Li for recognizing and reporting these vulnerabilities.
Release Notes
ckeditor/ckeditor5
v27.0.0
Compare Source
Release highlights
We are happy to announce the release of CKEditor 5 v27.0.0.
Starting from this version, collaboration features release notes will be included in the CKEditor 5 changelog. Changes for the previous releases are available on https://ckeditor.com/collaboration/changelog/.
This release introduces some new features:
[x]
will now insert a checked to-do list item.view.Document
events.MAJOR BREAKING CHANGES ℹ️
Note: Check out the Migration to CKEditor 5 v27.0.0 guide for more detailed information on how to upgrade to this version.
inputTransformation
event is no longer fired by theClipboard
plugin. Now theClipboardPipeline
plugin is responsible for firing this event (see #9128).clipboardInput
andinputTransformation
events should not be fired or stopped in the feature code. Thedata.content
property should be assigned to override the default content instead. You can stop this event only if you want to completely disable pasting or dropping of some content. Read more about the clipboard pipeline in the migration to v27.0.0 guide. See #9128.view.Document
events, similar to how bubbling works in the DOM. This allowed us to re-prioritize many listeners that previously had to rely on thepriority
property. However, it means that existing listeners that use priorities may now be executed at a wrong time. The listeners to such events should be reviewed in terms of when they should be executed (in what context/element/phase). Read more about event bubbling in the migration to v27.0.0 guide. See #8640.Features
[x]
will insert a checked to-do list item. Closes #8877. (commit)contentInsertion
event is fired fromClipboardPipeline
to enable customization of content insertion (see #9128). (commit)view.Document
events, similar to how bubbling works in the DOM. Bubbling allows listening on a view event on a specific kind of element, hence simplifying code that needs to handle a specific event for only that element (e.g.enter
inblockquote
elements only). Read more in the Event system deep-dive guide. Closes #8640. (commit)ArrowKeysObserver
. See #8640. (commit)Bug fixes
DataController#toView()
should have a default value for theoptions
parameter. Closes #9293. (commit)EmitterMixin#listenTo()
method is split into listener and emitter parts. TheObservableMixin
decorated methods reverted to the original method while destroying an observable. (commit)Other changes
PastePlainText
plugin (see #9128). (commit)mouseup
event is fired by theMouseObserver
(see #9128). (commit)mouseup
event is no longer fired by theMouseEventsObserver
from the@ckeditor/ckeditor5-table
package (now handled byMouseObserver
) (see #9128). (commit)TwoStepCaretMovement
feature is now using bubbling events. Closes #7437. (commit)language.getLanguageDirection
helper function allowing to determine the text direction based on the language code. (commit)Released packages
Check out the Versioning policy guide for more information.
Released packages (summary)
New packages:
Major releases (contain major breaking changes):
Releases containing new features:
Other releases:
v26.0.0
Compare Source
Release highlights
We are happy to announce the release of CKEditor 5 v26.0.0.
This release brings some new features:
There were also some important bug fixes:
<font>
elements.Collaboration features
The CKEditor 5 Collaboration features changelog can be found here: https://ckeditor.com/collaboration/changelog.
MAJOR BREAKING CHANGES ℹ️
Note: Check out the Migration to 26.0.0 guide for more detailed information on how to upgrade to this version.
Several plugins are not loaded automatically as dependencies of other plugins anymore. From now on, they need to be provided by the editor creator manually (via
config.plugins
). This list includes:CloudServicesUploadAdapter
plugin no longer loadsCloudServices
. Make sure to addCloudServices
to the editor plugins when using theCloudServicesUploadAdapter
orEasyImage
features.EasyImage
plugin no longer loadsImage
andImageUpload
. Make sure to addImage
andImageUpload
to the editor plugins when using theEasyImage
feature.CKFinder
plugin no longer loadsCKFinderUploadAdapter
. TheCKFinderEditing
plugin no longer loadsImageEditing
andLinkEditing
features. Make sure to addCKFinderUploadAdapter
,Image
, andLink
features to the editor plugins when using theCKFinder
feature.Title
plugin no longer loadsParagraph
. Make sure to addParagraph
to the editor plugins when using theTitle
feature.ListEditing
plugin no longer loadsParagraph
. Make sure to addParagraph
to the editor plugins when using theList
feature.LinkImageEditing
plugin no longer loadsImageEditing
. Make sure to addImage
to the editor plugins when using theLinkImage
feature.LinkImageUI
plugin no longer loadsImage
. Make sure to addImage
to the editor plugins when using theLinkImage
feature.ExportPdf
plugin no longer loadsCloudServices
. Make sure to addCloudServices
to the editor plugins when using theExportPdf
feature.ExportWord
plugin no longer loadsCloudServices
. Make sure to addCloudServices
to the editor plugins when using theExportWord
feature.cloud-services-core: The package has been merged into
@ckeditor/ckeditor5-cloud-services
. All classes that were available in the@ckeditor/ckeditor-cloud-services-core
package have been moved to the@ckeditor/ckeditor5-cloud-services
package. They should now be instantiated via factory methods on theCloudServicesCore
plugin that's located in@ckeditor/ckeditor5-cloud-services
. See #8811.image: The following modules have been moved (before → after):
image/image/imageinsertcommand~ImageInsertCommand
→image/image/insertimagecommand~InsertImageCommand
image/imageresize/imageresizecommand~ImageResizeCommand
→image/imageresize/resizeimagecommand~ResizeImageCommand
image/imageupload/imageuploadcommand~ImageUploadCommand
→image/imageupload/uploadimagecommand~UploadImageCommand
list: The to-do list item toggle keystroke changed to Ctrl+Enter (Cmd+Enter on Mac).
list: The following module
list/todolistcheckedcommand~TodoListCheckCommand
has been moved tolist/checktodolistcommand~CheckTodoListCommand
.Keystrokes with the Ctrl modifier will not be handled on macOS, unless the modifier is registered as a forced one (for example:
Ctrl!+A
will not be translated toCmd+A
on macOS).Features
CloudServicesCore
plugin that provides the base API for communication with CKEditor Cloud Services. (commit)PluginCollection
class will allow requiring a plugin by name, if it is provided inconfig.plugins
or if it was already loaded. Closes #2907. (commit)ContainerElement
can be marked asisAllowedInsideAttributeElement
in order to allow wrapping it with attribute elements. Useful for instance for inline widgets. Other element types (UI, Raw, Empty) have this flag on by default but it can be changed viaoptions.isAllowedInsideAttributeElement
tofalse
. Read more inDowncastWriter#create*()
methods documentation. Closes #1633. (commit)<font>
styling compatibility. Closes #8621. (commit)Ctrl!
) for keystrokes that should not be mapped to Command on macOS. (commit)Bug fixes
DowncastWriter
should handleUIElements
consistently while wrapping with and inserting them into attribute elements. Closes #8959. (commit)supportAllValues
configuration for theFontSize
andFontFamily
features to work with nested elements (tables). Closes #7965. (commit). Thanks to @dkrahn!Title
plugin, the body placeholder is visible even when the body section is focused. See #8689. (commit)www
subdomain followed with a top level domain, e.g.http://www.test
. Closes #8050. (commit)insertMediaEmbed
command should be disabled if any non-media object is selected (see #8798). (commit)insertTable
command should be disabled if any object is selected. Closes #8798. (commit)Other changes
Enabled creating builds that can be extended (with more plugins) without the need to recompile. This required splitting the project into the so-called DLL part and consumers of this DLL. Under the hood, the mechanism is based on webpack DLLs. This is the first part of the required changes and it contains the necessary breaking changes (see the "MAJOR BREAKING CHANGES" section above). For more information see the "DLL builds" guide. Closes [#8395][https://github.com/ckeditor/ckeditor5/issues/8395](https://togithub.com/ckeditor/ckeditor5/issues/8395)5). (commit)
cloud-services-core: All classes available in the
@ckeditor/ckeditor-cloud-services-core
package have been moved to the@ckeditor/ckeditor5-cloud-services
package. They should now be instantiated via factory methods on theCloudServicesCore
plugin. Closes #8811. (commit)engine: The
KeyObserver
should provide information aboutmetaKey
being pressed. (commit)image: Add WEBP support to the inline pasting of images from source URLs. (commit)
image: Introduced
Image.isImageWidget()
utility method. (commit)list: The to-do list item toggle keystroke changed to Ctrl+Enter (Cmd+Enter on Mac). (commit)
widget: The
checkSelectionOnObject
function should be exported by the@ckeditor/ckeditor5-widget
package (as@ckeditor/ckeditor5-widget/src/utils
) (see #8798). (commit)Updated translations. (commit)
Unified buttons and commands naming conventions. Old name values are available as aliases. Read more about those changes in the Code style guide. Closes #8033. (commit)
Changes in toolbar buttons (before → after):
imageUpload
→uploadImage
imageResize
→resizeImage
imageInsert
→insertImage
imageResize:*
→resizeImage:*
Changes in command names:
imageInsert
→insertImage
imageUpload
→uploadImage
imageResize
→resizeImage
forwardDelete
→deleteForward
todoListCheck
→checkTodoList
Released packages
Check out the Versioning policy guide for more information.
Released packages (summary)
Major releases (contain major breaking changes):
Releases containing new features:
Other releases:
v25.0.0
Compare Source
Release highlights
We are happy to announce the release of CKEditor 5 v25.0.0 that contains a security fix for the Markdown-GFM package. Even though this is a low impact issue and only affects the victim’s browser with no risk of data leakage, an upgrade is highly recommended! You can read more details in the relevant security advisory and contact us if you have more questions.
This release brings a few improvements and bug fixes:
Collaboration features
The CKEditor 5 Collaboration features changelog can be found here: https://ckeditor.com/collaboration/changelog.
MINOR BREAKING CHANGES ℹ️
ToolbarView.fillFromConfig()
will be stripped off of any leading, trailing, and duplicated separators ('|'
and'-'
).Features
---
in an empty block. Closes #5720. (commit)DataController#htmlProcessor
property is initialized with the instance of theHtmlDataProcessor
class and assigned to theDataController#processor
property by default. (commit)DropdownView
class to address edge cases when the panel is cut due to small screen size (see #7700, #8669). (commit)config.toolbar.removeItems
. Closes #7945. (commit)Bug fixes
snake_case_scenarios
anymore. Closes #2388. (commit)setData()
helper in the dev-utils model should support thebatchType
option. Closes #7947. (commit)Widget
plugin. Closes #8825. (commit)Widget
plugin. Closes #8720. (commit)src
attribute if strict CSP rules are defined. Closes #7957. (commit)delete
event handler is now listening on a higher priority to avoid being intercepted by the block quote and widget handlers. Closes #8706. (commit)Widget
plugin. Closes #8825. (commit)'-'
(new line) divider should not be rendered when grouping is enabled. Closes #8582. (commit)Other changes
Model#insertContent()
function to use as few operations as possible to reduce the time needed to handle pasting large content into the editor. Closes #8054, #715. (commit)Differ#getChanges()
function. Closes #8188. (commit)Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.