Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): bump ckeditor family (main) (major) #8642

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): bump ckeditor family (main) (major) #8642

wants to merge 1 commit into from
+41,191 −17,195

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 21, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@ckeditor/ckeditor5-alignment (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-basic-styles (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-block-quote (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-core (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-dev-utils (source) 37.0.1 -> 43.0.0 age adoption passing confidence
@ckeditor/ckeditor5-editor-balloon (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-editor-decoupled (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-essentials (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-font (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-heading (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-image (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-link (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-list (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-mention (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-paragraph (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-remove-format (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-theme-lark (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-upload (source) 37.1.0 -> 43.2.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

ckeditor/ckeditor5 (@​ckeditor/ckeditor5-alignment)

v43.2.0

Compare Source

We are happy to announce the release of CKEditor 5 v43.2.0.

Release highlights
Notable improvements
  • Operational Transformation Stability: Significant changes have been made to the OT system, enhancing the undo functionality and real-time collaboration, especially in conflict resolution scenarios. These improvements ensure smoother editor operations during complex interactions.
  • Performance Improvements: We have merged several community-driven performance enhancements (thanks @​sunesimonsen), that optimize the editor’s core engine. While no changes to the editor’s logic were made, these updates improve overall efficiency and responsiveness.
More imports available via ckeditor5 and ckeditor5-premium-features indexes

As users transition to new installation methods (v42.0.0+) with ckeditor5 and ckeditor5-premium-features as the main packages, we are continuously addressing missing imports for less common classes, functions, types, and utilities, broadening their availability. Since our TypeScript rewrite (v37.0.0), imports can now be made directly through the package indexes, simplifying integration. As many users historically imported from src, we encourage you to try the new version and report any missing imports. In the future, we are considering removing src from published packages to reduce package size, so the more feedback we receive, the better and more stable API we will provide.

Features
Bug fixes
  • ckbox: Editing inline images using CKBox no longer changes and reinserts them simultaneously. Closes #​17056. (commit)
  • engine: Fixed incorrect marker handling in some scenarios involving undo and real-time collaboration, which earlier led to a model-nodelist-offset-out-of-bounds error. See #​9296. (commit)
  • engine: Fixed incorrect handling of merge changes during undo in some scenarios involving real-time collaboration, which earlier led to a model-nodelist-offset-out-of-bounds error. See #​9296. (commit)
  • engine: Fixed conflict resolution error, which led to editor crash in some scenarios where two users removed larger intersecting part of the content and used undo. See #​9296. (commit)
  • engine: Fixed incorrect undo behavior leading to an editor crash when a user pressed Enter key multiple times, then pressed backspace that many times, then undid all the changes. Closes #​9296. (commit)
  • theme-lark: Increased the specificity of the dropdown menu panel styles to address issues with incorrect z-index ordering. (commit)
  • ui: Fixed scrolling in dropdowns when a block toolbar button is active. Closes #​17067. (commit)
  • ui: Increased the specificity of the dropdown menu panel styles to address issues with incorrect z-index ordering. (commit)
Other changes
Released packages

Check out the Versioning policy guide for more information.

Released packages (summary)

Releases containing new features:

Other releases:

v43.1.1

Compare Source

We are happy to announce the release of CKEditor 5 v43.1.1.

During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 clipboard package (CVE-2024-45613). This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert malicious content into the editor, which might happen with a very specific editor configuration.

This vulnerability affects only installations where the editor configuration meets the following criteria:

  1. The Block Toolbar plugin is enabled.
  2. One of the following plugins is also enabled:

You can read more details in the relevant security advisory and contact us if you have more questions.

Taking the occasion, we decided to introduce additional hardening to some parts of our codebase that introduce theoretical and unexploitable issues. Our security team confirmed that none of these issues were exploitable in a real scenario, however, we decided to fix them, in order to increase the overall security posture of our software.

Released packages

Check out the Versioning policy guide for more information.

Released packages (summary)

Other releases:

v43.1.0

Compare Source

We are happy to announce the release of CKEditor 5 v43.1.0.

Release highlights

This release includes important bug fixes and enhancements for the editor:

  • Block merge fields: In contrast to regular, inline merge fields, the block merge fields are designed to represent complex, block-level structures, such as a dynamically generated table, a row of products, or a personalized call-to-action segment. Block merge fields are supposed to be replaced by arbitrary HTML data when the document template is post-processed or exported to a PDF or Word file.

  • Nested dropdown menus: this release introduces a new UI component: nested dropdown menus. They can be used by feature developers to easily provide an advanced user interface where UI elements are organized into a nested menu structure.

  • Customizable accessible label: You can now configure the label for the accessible editable area through the editor settings, ensuring it fits your system’s needs.

  • Improved table and cell border controls: It is now easier to manage both table and cell borders. The table user interface now clearly indicates the default border settings, allowing you to set “no borders” (None) for tables and cells without any additional configuration.

    ⚠️ In some cases this update may lead to data changes in the tables’ HTML markup when the editor loads them. However, visually nothing will change, and the experience will be the same.

The full list of enhancements can be found below.

MINOR BREAKING CHANGES ℹ️
  • Reverted config.sanitizeHtml. In v43.0.0 we made a decision to move config.htmlEmbed.sanitizeHtml to a top-level property config.sanitizeHtml. However, we realized that it was a wrong decision to expose such a sensitive property in a top-level configuration property. Starting with v43.1.0 you should again use config.htmlEmbed.sanitizeHtml and/or config.mergeFields.sanitizeHtml. The editor will throw an error if config.sanitizeHtml is used. See the migration guide for additional context behind this decision.
  • ai: The structure and presentation of the list of AI commands in the toolbar have changed (a flat filtered list is now a nested menu). Additionally, if your integration customizes this user interface, please ensure your integration code is up-to-date.
  • ui: The default [aria-label] provided by InlineEditableUIView is now 'Rich Text Editor. Editing area: [root name]' (previously: 'Editor editing area: [root name]'). You can use the options.label constructor property to adjust the label.
Features
  • comments: Added [data-author-id] to suggestion and comment markers in editing for easier integration and styling.
  • media-embed: Added support for new Twitter domain (x.com) and Instagram Reels. Closes #​16435. (commit)
  • merge-fields: Introduced block merge fields. They are a new type of merge fields which are treated as block content in the editor editing area.
  • track-changes: Added [data-author-id] to suggestion and comment markers in editing for easier integration and styling.
  • ui: Introduced nested menu component for dropdowns. Closes #​6399. (commit)
  • ui: Added support for the balloon toolbar in the multi-root editor. Closes #​14803. (commit)
  • Allowed to configure the accessible editable area label via the config.label property. Closes #​15208, #​11863, #​9731. (commit)
Bug fixes
  • cloud-services: The refreshing mechanism (from the Token class) should retry after a failure to limit the chance of the user getting disconnected and data loss in real-time collaboration. (commit)
  • comments: The TrackChangesData#getDataWithAcceptedSuggestions() method will no longer throw errors when there are suggestions containing multi-range comments in tables.
  • document-outline: Editor no longer crashes during initialization when the TableOfContents and ImageBlock plugins are enabled. Closes ckeditor/ckeditor5#16915.
  • editor-classic: The widget toolbar no longer covers editor's sticky toolbar when scrolling. Closes #​15744. (commit)
  • editor-multi-root: The selection is no longer lost while clicking an editable containing only one block element. Closes #​16806. (commit)
  • engine: Prevent from editor crashes when trying to style a long paragraph. Closes #​16819. (commit)
  • html-support: The <hgroup> and <summary> elements should work with the source editing feature. Closes #​16947. (commit)
  • list: A to-do list should preserve the state of the checked items on the data load. Closes #​15602. (commit)
  • table: Changed default table and table cell properties to match the content styles. It fixes a problem with setting [border=none] on the table. Closes #​6841. ([commit](https://redirect.github.com/ckeditor/ckedi

Configuration

📅 Schedule: Branch creation - "before 5am on wednesday" in timezone Europe/Vienna, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested review from ChristophWurst and GretaD July 21, 2023 08:12
@ChristophWurst ChristophWurst requested review from kesselb and removed request for ChristophWurst July 21, 2023 08:12
@ChristophWurst
Copy link
Member

@kesselb this one is for you :)

@ChristophWurst
Copy link
Member

ckeditor/ckeditor5#14082

^ @jancborchardt @marcoambrosini @nimishavijay ckeditor will show a ckeditor logo with v38 and later. Would that be a problem for us design-wise?

@nimishavijay
Copy link
Member

Where is this ckeditor used? :) And do we have control over how the logo is shown?

@ChristophWurst
Copy link
Member

ChristophWurst commented Jul 21, 2023
edited
Loading

CKEditor is the editor we use for the body of new emails. I don't think we have direct control over where/how the logo shows but we might be able to tweak that with css. Yet that's something we have to check with the license of the editor.

@kesselb
Copy link
Contributor

kesselb commented Jul 21, 2023

And do we have control over how the logo is shown?

They provide a couple of customization options: https://ckeditor.com/docs/ckeditor5/latest/support/licensing/managing-ckeditor-logo.html#how-to-configure-the-layout-of-the-powered-by-ckeditor-logo

@kesselb
Copy link
Contributor

kesselb commented Jul 21, 2023

Signature editor:

Screenshot from 2023-07-21 12-11-03

Composer view:

Screenshot from 2023-07-21 12-12-33

@kesselb
Copy link
Contributor

kesselb commented Jul 21, 2023

As idea:

Hiding the label and changing position is possible.

ui: {
	poweredBy: {
		position: 'inside',
		side: 'right',
		label: null,
		verticalOffset: 2,
		horizontalOffset: 2
	}
}

image

image

@nimishavijay
Copy link
Member

Screenshots by @kesselb look good to me. If possible we could link the image to their website/repo. @jancborchardt is this ok with you?

@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch from 6d235ba to 3bb986f Compare August 2, 2023 10:51
@renovate renovate bot changed the title fix(deps): bump ckeditor family from 37.1.0 to v38 (main) (major) fix(deps): bump ckeditor family from 37.1.0 to v39 (main) (major) Aug 2, 2023
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch from 3bb986f to 61fe5ff Compare August 10, 2023 07:46
@jancborchardt
Copy link
Member

jancborchardt commented Aug 10, 2023
edited
Loading

Oh wow, that's sort of invasive and nerdy.

  • Is CKEditor not really open source, as in we can't hide the logo? (We can happily have a note of it in the bottom left settings.)
  • Do we have to link the logo? Bottom right is the best placement but I am worried about misclicks when sending.

@kesselb
Copy link
Contributor

kesselb commented Aug 10, 2023
edited
Loading

Is CKEditor not really open source, as in we can't hide the logo? (We can happily have a note of it in the bottom left settings.)

Technically, we can hide the logo.

I can't judge whether that's okay or not. The topic is also discussed at ckeditor/ckeditor5#14082 (comment) and ckeditor/ckeditor5#14314.

Do we have to link the logo? Bottom right is the best placement but I am worried about misclicks when sending.

They don't provide an option to not generate a link.

image

I moved the send button to the left. Not much better.

Screencast.from.2023-08-10.22-35-07.webm

That's super annoying. The logo is visible if you focus on the editor.
I am uncertain if that was already the case for 38 or is new in 39.

@marcoambrosini
Copy link
Member

I also think that if it's open source we should hide the logo from the composer and add attribution in the app settings. Once those settings are moved to a settings dialog this could even be a small paragraph.

@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch from 61fe5ff to 305ca2e Compare September 6, 2023 10:35
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch from 305ca2e to c064b22 Compare October 4, 2023 13:15
@renovate renovate bot changed the title fix(deps): bump ckeditor family from 37.1.0 to v39 (main) (major) fix(deps): bump ckeditor family from 37.1.0 to v40 (main) (major) Oct 4, 2023
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch from c064b22 to eac28f3 Compare October 5, 2023 07:20
@renovate renovate bot changed the title fix(deps): bump ckeditor family from 37.1.0 to v40 (main) (major) fix(deps): bump ckeditor family (main) (major) Oct 5, 2023
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 2 times, most recently from 46df855 to c21ed19 Compare October 19, 2023 08:24
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 2 times, most recently from a115a27 to ac6eca5 Compare October 30, 2023 09:27
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 3 times, most recently from d81d651 to e2096c2 Compare May 23, 2024 13:02
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 2 times, most recently from 5b7e393 to ab1491b Compare June 3, 2024 11:10
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch from ab1491b to 04888b9 Compare June 17, 2024 07:21
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 2 times, most recently from 4c79050 to 86e2016 Compare July 2, 2024 13:38
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 4 times, most recently from 57f1a63 to f8032bc Compare July 11, 2024 13:36
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 3 times, most recently from 103ccca to 9893f82 Compare July 23, 2024 09:44
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 2 times, most recently from 2a10e35 to 1d4d11b Compare July 29, 2024 10:59
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 2 times, most recently from 737ed98 to 36bfc52 Compare August 13, 2024 08:56
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 2 times, most recently from d175b1a to ad8c035 Compare September 5, 2024 10:34
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 2 times, most recently from 8b7ea29 to dc4d1f1 Compare September 13, 2024 23:13
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch 3 times, most recently from 34538c0 to 2238300 Compare October 2, 2024 09:09
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch from 2238300 to 90591d7 Compare October 2, 2024 12:40
@kesselb kesselb self-assigned this Oct 3, 2024
@renovate
fix(deps): bump ckeditor family
fd4e919 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/main-major-ckeditor-family branch from 90591d7 to fd4e919 Compare October 3, 2024 10:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GretaD GretaD Awaiting requested review from GretaD GretaD is a code owner

@kesselb kesselb Awaiting requested review from kesselb kesselb is a code owner

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst ChristophWurst is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@kesselb kesselb

Labels
3. to review dependencies
Projects
💌 📅 👥 Groupware team
Status: 📄 To do
🖍 Design team
Status: 🏗️ At engineering
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ChristophWurst @nimishavijay @kesselb @jancborchardt @marcoambrosini