Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency @ckeditor/ckeditor5-widget to v27 [security] - autoclosed #15

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency @ckeditor/ckeditor5-widget to v27 [security] - autoclosed #15

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 27, 2021
edited

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@ckeditor/ckeditor5-widget (source) 24.0.0 -> 27.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-21391

Impact

A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0.

Patches

The problem has been recognized and patched. The fix will be available in version 27.0.0.

For more information

Email us at security@cksource.com if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 5 team would like to thank Yeting Li for recognizing and reporting these vulnerabilities.

Release Notes

ckeditor/ckeditor5

v27.0.0

Compare Source

Release highlights

We are happy to announce the release of CKEditor 5 v27.0.0.

Starting from this version, collaboration features release notes will be included in the CKEditor 5 changelog. Changes for the previous releases are available on https://ckeditor.com/collaboration/changelog/.

This release introduces some new features:

MAJOR BREAKING CHANGES ℹ️

Note: Check out the Migration to CKEditor 5 v27.0.0 guide for more detailed information on how to upgrade to this version.

  • clipboard: The inputTransformation event is no longer fired by the Clipboard plugin. Now the ClipboardPipeline plugin is responsible for firing this event (see #​9128).
  • clipboard: The clipboardInput and inputTransformation events should not be fired or stopped in the feature code. The data.content property should be assigned to override the default content instead. You can stop this event only if you want to completely disable pasting or dropping of some content. Read more about the clipboard pipeline in the migration to v27.0.0 guide. See #​9128.
  • Introduced bubbling of the view.Document events, similar to how bubbling works in the DOM. This allowed us to re-prioritize many listeners that previously had to rely on the priority property. However, it means that existing listeners that use priorities may now be executed at a wrong time. The listeners to such events should be reviewed in terms of when they should be executed (in what context/element/phase). Read more about event bubbling in the migration to v27.0.0 guide. See #​8640.
Features
  • alignment: Introduced an option to use classes instead of inline styles. Closes #​8516. (commit)
  • autoformat: Typing [x] will insert a checked to-do list item. Closes #​8877. (commit)
  • clipboard: Implemented basic support for content drag and drop. Closes #​9128. (commit)
  • clipboard: The contentInsertion event is fired from ClipboardPipeline to enable customization of content insertion (see #​9128). (commit)
  • core: Created the universal caption icon. Closes #​9196. (commit)
  • engine: Introduced bubbling of the view.Document events, similar to how bubbling works in the DOM. Bubbling allows listening on a view event on a specific kind of element, hence simplifying code that needs to handle a specific event for only that element (e.g. enter in blockquote elements only). Read more in the Event system deep-dive guide. Closes #​8640. (commit)
  • engine: Introduced ArrowKeysObserver. See #​8640. (commit)
  • language: Added support for setting the text part language. Closes #​8989.
Bug fixes
  • engine: DataController#toView() should have a default value for the options parameter. Closes #​9293. (commit)
  • highlight The remove highlight button now also gets disabled along with the main highlight command. Closes #​9174. (commit)
  • utils: The EmitterMixin#listenTo() method is split into listener and emitter parts. The ObservableMixin decorated methods reverted to the original method while destroying an observable. (commit)
Other changes
  • clipboard: The paste as plain text feature was extracted to the dedicated PastePlainText plugin (see #​9128). (commit)
  • engine: The mouseup event is fired by the MouseObserver (see #​9128). (commit)
  • table: The mouseup event is no longer fired by the MouseEventsObserver from the @ckeditor/ckeditor5-table package (now handled by MouseObserver) (see #​9128). (commit)
  • typing: The TwoStepCaretMovement feature is now using bubbling events. Closes #​7437. (commit)
  • utils: Added the language.getLanguageDirection helper function allowing to determine the text direction based on the language code. (commit)
  • Optimized icons. (commit)
  • Updated English translations for the text part language feature. (commit)
Released packages

Check out the Versioning policy guide for more information.

Released packages (summary)

New packages:

Major releases (contain major breaking changes):

Releases containing new features:

Other releases:

v26.0.0

Compare Source

Release highlights

We are happy to announce the release of CKEditor 5 v26.0.0.

This release brings some new features:

There were also some important bug fixes:

Collaboration features

The CKEditor 5 Collaboration features changelog can be found here: https://ckeditor.com/collaboration/changelog.

MAJOR BREAKING CHANGES ℹ️

Note: Check out the Migration to 26.0.0 guide for more detailed information on how to upgrade to this version.

  • Several plugins are not loaded automatically as dependencies of other plugins anymore. From now on, they need to be provided by the editor creator manually (via config.plugins). This list includes:

    • The CloudServicesUploadAdapter plugin no longer loads CloudServices. Make sure to add CloudServices to the editor plugins when using the CloudServicesUploadAdapter or EasyImage features.
    • The EasyImage plugin no longer loads Image and ImageUpload. Make sure to add Image and ImageUpload to the editor plugins when using the EasyImage feature.
    • The CKFinder plugin no longer loads CKFinderUploadAdapter. The CKFinderEditing plugin no longer loads ImageEditing and LinkEditing features. Make sure to add CKFinderUploadAdapter, Image, and Link features to the editor plugins when using the CKFinder feature.
    • The Title plugin no longer loads Paragraph. Make sure to add Paragraph to the editor plugins when using the Title feature.
    • The ListEditing plugin no longer loads Paragraph. Make sure to add Paragraph to the editor plugins when using the List feature.
    • The LinkImageEditing plugin no longer loads ImageEditing. Make sure to add Image to the editor plugins when using the LinkImage feature.
    • The LinkImageUI plugin no longer loads Image. Make sure to add Image to the editor plugins when using the LinkImage feature.
    • The ExportPdf plugin no longer loads CloudServices. Make sure to add CloudServices to the editor plugins when using the ExportPdf feature.
    • The ExportWord plugin no longer loads CloudServices. Make sure to add CloudServices to the editor plugins when using the ExportWord feature.

  • cloud-services-core: The package has been merged into @ckeditor/ckeditor5-cloud-services. All classes that were available in the @ckeditor/ckeditor-cloud-services-core package have been moved to the @ckeditor/ckeditor5-cloud-services package. They should now be instantiated via factory methods on the CloudServicesCore plugin that's located in @ckeditor/ckeditor5-cloud-services. See #​8811.

  • image: The following modules have been moved (before → after):

    • image/image/imageinsertcommand~ImageInsertCommandimage/image/insertimagecommand~InsertImageCommand
    • image/imageresize/imageresizecommand~ImageResizeCommandimage/imageresize/resizeimagecommand~ResizeImageCommand
    • image/imageupload/imageuploadcommand~ImageUploadCommandimage/imageupload/uploadimagecommand~UploadImageCommand

  • list: The to-do list item toggle keystroke changed to Ctrl+Enter (Cmd+Enter on Mac).

  • list: The following module list/todolistcheckedcommand~TodoListCheckCommand has been moved to list/checktodolistcommand~CheckTodoListCommand.

  • Keystrokes with the Ctrl modifier will not be handled on macOS, unless the modifier is registered as a forced one (for example: Ctrl!+A will not be translated to Cmd+A on macOS).

Features
  • cloud-services: Created the CloudServicesCore plugin that provides the base API for communication with CKEditor Cloud Services. (commit)
  • core: The PluginCollection class will allow requiring a plugin by name, if it is provided in config.plugins or if it was already loaded. Closes #​2907. (commit)
  • engine: ContainerElement can be marked as isAllowedInsideAttributeElement in order to allow wrapping it with attribute elements. Useful for instance for inline widgets. Other element types (UI, Raw, Empty) have this flag on by default but it can be changed via options.isAllowedInsideAttributeElement to false. Read more in DowncastWriter#create*() methods documentation. Closes #​1633. (commit)
  • font: Added the <font> styling compatibility. Closes #​8621. (commit)
  • utils: Added the forced modifier key (Ctrl!) for keystrokes that should not be mapped to Command on macOS. (commit)
Bug fixes
  • build-*: Switched indent buttons order in the default build config to "outdent, indent". Closes #​8884. (commit)
  • engine: DowncastWriter should handle UIElements consistently while wrapping with and inserting them into attribute elements. Closes #​8959. (commit)
  • engine: Words should not break on link boundaries. Closes #​8852. (commit)
  • engine: Undoing the deletion of merged paragraphs should result in the original tree. Closes #​8976. (commit)
  • engine: Pasting formatted single-line text over a widget should not split it into multiple paragraphs. Closes #​8953. (commit)
  • engine: The editor placeholder should not disappear until typing started. Closes #​8689. (commit)
  • engine: Fixed content not restored on undo when multiple blocks and widgets were removed. Closes #​8870. (commit)
  • font: Fixed the supportAllValues configuration for the FontSize and FontFamily features to work with nested elements (tables). Closes #​7965. (commit). Thanks to @​dkrahn!
  • heading: In the Title plugin, the body placeholder is visible even when the body section is focused. See #​8689. (commit)
  • image: The Image caption placeholder is now hidden when focused. See #​8689. (commit)
  • link: The Autolink plugin will no longer automatically match domains that only have a www subdomain followed with a top level domain, e.g. http://www.test. Closes #​8050. (commit)
  • link: IP addresses should be converted into links while typing by the Autolink feature. Closes #​8881. (commit)
  • media-embed: The insertMediaEmbed command should be disabled if any non-media object is selected (see #​8798). (commit)
  • table: The insertTable command should be disabled if any object is selected. Closes #​8798. (commit)
  • utils: The keystrokes are no longer conflicting on macOS. Closes #​5705. (commit)
  • The editor will show the placeholder even when focused. See #​8689. (commit)
Other changes

  • Enabled creating builds that can be extended (with more plugins) without the need to recompile. This required splitting the project into the so-called DLL part and consumers of this DLL. Under the hood, the mechanism is based on webpack DLLs. This is the first part of the required changes and it contains the necessary breaking changes (see the "MAJOR BREAKING CHANGES" section above). For more information see the "DLL builds" guide. Closes [#​8395][https://github.com/ckeditor/ckeditor5/issues/8395](https://togithub.com/ckeditor/ckeditor5/issues/8395)5). (commit)

  • cloud-services-core: All classes available in the @ckeditor/ckeditor-cloud-services-core package have been moved to the @ckeditor/ckeditor5-cloud-services package. They should now be instantiated via factory methods on the CloudServicesCore plugin. Closes #​8811. (commit)

  • engine: The KeyObserver should provide information about metaKey being pressed. (commit)

  • image: Add WEBP support to the inline pasting of images from source URLs. (commit)

  • image: Introduced Image.isImageWidget() utility method. (commit)

  • list: The to-do list item toggle keystroke changed to Ctrl+Enter (Cmd+Enter on Mac). (commit)

  • widget: The checkSelectionOnObject function should be exported by the @ckeditor/ckeditor5-widget package (as @ckeditor/ckeditor5-widget/src/utils) (see #​8798). (commit)

  • Updated translations. (commit)

  • Unified buttons and commands naming conventions. Old name values are available as aliases. Read more about those changes in the Code style guide. Closes #​8033. (commit)

    Changes in toolbar buttons (before → after):

    • imageUploaduploadImage
    • imageResizeresizeImage
    • imageInsertinsertImage
    • imageResize:*resizeImage:*

    Changes in command names:

    • imageInsertinsertImage
    • imageUploaduploadImage
    • imageResizeresizeImage
    • forwardDeletedeleteForward
    • todoListCheckcheckTodoList
Released packages

Check out the Versioning policy guide for more information.

Released packages (summary)

Major releases (contain major breaking changes):

Releases containing new features:

Other releases:

v25.0.0

Compare Source

Release highlights

We are happy to announce the release of CKEditor 5 v25.0.0 that contains a security fix for the Markdown-GFM package. Even though this is a low impact issue and only affects the victim’s browser with no risk of data leakage, an upgrade is highly recommended! You can read more details in the relevant security advisory and contact us if you have more questions.

This release brings a few improvements and bug fixes:

Collaboration features

The CKEditor 5 Collaboration features changelog can be found here: https://ckeditor.com/collaboration/changelog.

MINOR BREAKING CHANGES ℹ️
  • ui: Configuration passed to ToolbarView.fillFromConfig() will be stripped off of any leading, trailing, and duplicated separators ('|' and '-').
Features
  • autoformat: The horizontal line can be inserted by typing --- in an empty block. Closes #​5720. (commit)
  • autoformat: Square brackets should convert the current line to a to-do list item. Closes #​7518. (commit)
  • block-quote: The block quote should be split on the Backspace key press at the beginning of the block quote. Closes #​7636. (commit)
  • engine: The new DataController#htmlProcessor property is initialized with the instance of the HtmlDataProcessor class and assigned to the DataController#processor property by default. (commit)
  • typing: An empty block element at the beginning of the limit element should be converted to a paragraph on the Backspace key press. Closes #​8137. (commit)
  • ui: Implemented additional panel positions for the DropdownView class to address edge cases when the panel is cut due to small screen size (see #​7700, #​8669). (commit)
  • ui: Items baked into the editor bundles can now be removed from the toolbar by using config.toolbar.removeItems. Closes #​7945. (commit)
Bug fixes
  • autoformat: Formatting will not be applied to snake_case_scenarios anymore. Closes #​2388. (commit)
  • engine: The setData() helper in the dev-utils model should support the batchType option. Closes #​7947. (commit)
  • export-pdf: The command should use the proper token if executed without providing a token in the command options.
  • export-word: The command should use the proper token if executed without providing a token in the command options.
  • horizontal-line: The horizontal line feature should require the Widget plugin. Closes #​8825. (commit)
  • html-embed: Pasting an HTML embed widget from the clipboard will not clear its content anymore. Closes #​8789. (commit)
  • html-embed: The HTML embed plugin should require the Widget plugin. Closes #​8720. (commit)
  • html-embed: The save button should close the source mode even if there are no changes. Closes #​8560. (commit)
  • image: The image plugins can be loaded in any order without causing an error. Closes #​8270. (commit)
  • image: Allow pasting an image with a data URL scheme as the value of the src attribute if strict CSP rules are defined. Closes #​7957. (commit)
  • image: Fixed the image resizer for images with links. Closes #​8749. (commit)
  • image: An empty image caption should be hidden if the editor is in read-only mode. Closes #​5168. (commit)
  • link: Removing a link from an image should not throw an error when link decorators are also present. Closes #​8401. (commit)
  • list: The delete event handler is now listening on a higher priority to avoid being intercepted by the block quote and widget handlers. Closes #​8706. (commit)
  • pagination: The pagination plugin should be disabled and a warning should be displayed if its configuration is missing.
  • page-break: Dropping an image on the page break widget should not crash the editor. Closes #​8788. (commit)
  • page-break: The page break feature should require the Widget plugin. Closes #​8825. (commit)
  • special-characters: The special characters dropdown should always fit into the viewport. Closes #​7700, #​8669. (commit)
  • table: The contents of nested tables are no longer going through upcasting. Closes #​8393. (commit)
  • table: The table properties balloon should always follow the table when the alignment changes. Closes #​6223. (commit)
  • theme-lark: The HTML embed text in a disabled input in Safari on iOS should have the same color as in other browsers. Closes #​8320. (commit)
  • theme-lark: The dropdown button should not have an inner shadow in active state. Closes #​8699. (commit)
  • ui: The "Show more items" toolbar button tooltip should not overflow the editor. Closes #​8655. (commit)
  • ui: The '-' (new line) divider should not be rendered when grouping is enabled. Closes #​8582. (commit)
  • word-count: The word count feature should consider a string with a special character as a single word. Closes #​8078. (commit)
Other changes
  • engine: Optimized the Model#insertContent() function to use as few operations as possible to reduce the time needed to handle pasting large content into the editor. Closes #​8054, #​715. (commit)
  • engine: Improved performance of the Differ#getChanges() function. Closes #​8188. (commit)
  • export-word: The timezone option should be passed to the Export to Word converter.
  • html-embed: A placeholder should be displayed if the HTML snippet is not previewable or empty. Closes #​8435. (commit)
  • link: Improved how the fake selection marker for the link UI is created. Closes #​8092. (commit

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner August 27, 2021 14:18
@zendesk-garden zendesk-garden temporarily deployed to staging August 27, 2021 15:14 Inactive
@renovate renovate bot force-pushed the renovate/npm-@ckeditor/ckeditor5-widget-vulnerability branch from 85c1a7e to c2ae71a Compare August 27, 2021 15:23
jzempel
jzempel requested changes Aug 27, 2021
View reviewed changes
Copy link
Member

@jzempel jzempel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mismatched CKEditor versions breaks the runtime build

@jzempel
Copy link
Member

jzempel commented Aug 27, 2021

Blocked by ckeditor/ckeditor5#10439

@renovate renovate bot force-pushed the renovate/npm-@ckeditor/ckeditor5-widget-vulnerability branch from c2ae71a to 25e718c Compare September 16, 2021 18:30
@renovate renovate bot changed the title chore(deps): update dependency @ckeditor/ckeditor5-widget to v27 [security] chore(deps): update dependency @ckeditor/ckeditor5-widget to v27 [security] - autoclosed Sep 30, 2021
@renovate renovate bot closed this Sep 30, 2021
@renovate renovate bot deleted the renovate/npm-@ckeditor/ckeditor5-widget-vulnerability branch September 30, 2021 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzempel jzempel jzempel requested changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jzempel @zendesk-garden @renovate-bot