mail icon indicating copy to clipboard operation
mail copied to clipboard

Published 20 hours ago • verified publisher icon nextcloud

fix(deps): bump ckeditor family (main) (major)

Open renovate[bot] opened this issue 2 years ago • 12 comments

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@ckeditor/ckeditor5-alignment (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-basic-styles (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-block-quote (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-core (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-dev-utils (source) 37.0.1 -> 43.0.0 age adoption passing confidence
@ckeditor/ckeditor5-editor-balloon (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-editor-decoupled (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-essentials (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-font (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-heading (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-image (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-link (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-list (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-mention (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-paragraph (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-remove-format (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-theme-lark (source) 37.1.0 -> 43.2.0 age adoption passing confidence
@ckeditor/ckeditor5-upload (source) 37.1.0 -> 43.2.0 age adoption passing confidence

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

ckeditor/ckeditor5 (@​ckeditor/ckeditor5-alignment)

v43.2.0

Compare Source

We are happy to announce the release of CKEditor 5 v43.2.0.

Release highlights
Notable improvements
  • Operational Transformation Stability: Significant changes have been made to the OT system, enhancing the undo functionality and real-time collaboration, especially in conflict resolution scenarios. These improvements ensure smoother editor operations during complex interactions.
  • Performance Improvements: We have merged several community-driven performance enhancements (thanks @​sunesimonsen), that optimize the editor’s core engine. While no changes to the editor’s logic were made, these updates improve overall efficiency and responsiveness.
More imports available via ckeditor5 and ckeditor5-premium-features indexes

As users transition to new installation methods (v42.0.0+) with ckeditor5 and ckeditor5-premium-features as the main packages, we are continuously addressing missing imports for less common classes, functions, types, and utilities, broadening their availability. Since our TypeScript rewrite (v37.0.0), imports can now be made directly through the package indexes, simplifying integration. As many users historically imported from src, we encourage you to try the new version and report any missing imports. In the future, we are considering removing src from published packages to reduce package size, so the more feedback we receive, the better and more stable API we will provide.

Features
Bug fixes
  • ckbox: Editing inline images using CKBox no longer changes and reinserts them simultaneously. Closes #​17056. (commit)
  • engine: Fixed incorrect marker handling in some scenarios involving undo and real-time collaboration, which earlier led to a model-nodelist-offset-out-of-bounds error. See #​9296. (commit)
  • engine: Fixed incorrect handling of merge changes during undo in some scenarios involving real-time collaboration, which earlier led to a model-nodelist-offset-out-of-bounds error. See #​9296. (commit)
  • engine: Fixed conflict resolution error, which led to editor crash in some scenarios where two users removed larger intersecting part of the content and used undo. See #​9296. (commit)
  • engine: Fixed incorrect undo behavior leading to an editor crash when a user pressed Enter key multiple times, then pressed backspace that many times, then undid all the changes. Closes #​9296. (commit)
  • theme-lark: Increased the specificity of the dropdown menu panel styles to address issues with incorrect z-index ordering. (commit)
  • ui: Fixed scrolling in dropdowns when a block toolbar button is active. Closes #​17067. (commit)
  • ui: Increased the specificity of the dropdown menu panel styles to address issues with incorrect z-index ordering. (commit)
Other changes
Released packages

Check out the Versioning policy guide for more information.

Released packages (summary)

Releases containing new features:

Other releases:

v43.1.1

Compare Source

We are happy to announce the release of CKEditor 5 v43.1.1.

During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 clipboard package (CVE-2024-45613). This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert malicious content into the editor, which might happen with a very specific editor configuration.

This vulnerability affects only installations where the editor configuration meets the following criteria:

  1. The Block Toolbar plugin is enabled.
  2. One of the following plugins is also enabled:

You can read more details in the relevant security advisory and contact us if you have more questions.

Taking the occasion, we decided to introduce additional hardening to some parts of our codebase that introduce theoretical and unexploitable issues. Our security team confirmed that none of these issues were exploitable in a real scenario, however, we decided to fix them, in order to increase the overall security posture of our software.

Released packages

Check out the Versioning policy guide for more information.

Released packages (summary)

Other releases:

v43.1.0

Compare Source

We are happy to announce the release of CKEditor 5 v43.1.0.

Release highlights

This release includes important bug fixes and enhancements for the editor:

  • Block merge fields: In contrast to regular, inline merge fields, the block merge fields are designed to represent complex, block-level structures, such as a dynamically generated table, a row of products, or a personalized call-to-action segment. Block merge fields are supposed to be replaced by arbitrary HTML data when the document template is post-processed or exported to a PDF or Word file.

  • Nested dropdown menus: this release introduces a new UI component: nested dropdown menus. They can be used by feature developers to easily provide an advanced user interface where UI elements are organized into a nested menu structure.

  • Customizable accessible label: You can now configure the label for the accessible editable area through the editor settings, ensuring it fits your system’s needs.

  • Improved table and cell border controls: It is now easier to manage both table and cell borders. The table user interface now clearly indicates the default border settings, allowing you to set “no borders” (None) for tables and cells without any additional configuration.

    ⚠️ In some cases this update may lead to data changes in the tables’ HTML markup when the editor loads them. However, visually nothing will change, and the experience will be the same.

The full list of enhancements can be found below.

MINOR BREAKING CHANGES ℹ️
  • Reverted config.sanitizeHtml. In v43.0.0 we made a decision to move config.htmlEmbed.sanitizeHtml to a top-level property config.sanitizeHtml. However, we realized that it was a wrong decision to expose such a sensitive property in a top-level configuration property. Starting with v43.1.0 you should again use config.htmlEmbed.sanitizeHtml and/or config.mergeFields.sanitizeHtml. The editor will throw an error if config.sanitizeHtml is used. See the migration guide for additional context behind this decision.
  • ai: The structure and presentation of the list of AI commands in the toolbar have changed (a flat filtered list is now a nested menu). Additionally, if your integration customizes this user interface, please ensure your integration code is up-to-date.
  • ui: The default [aria-label] provided by InlineEditableUIView is now 'Rich Text Editor. Editing area: [root name]' (previously: 'Editor editing area: [root name]'). You can use the options.label constructor property to adjust the label.
Features
  • comments: Added [data-author-id] to suggestion and comment markers in editing for easier integration and styling.
  • media-embed: Added support for new Twitter domain (x.com) and Instagram Reels. Closes #​16435. (commit)
  • merge-fields: Introduced block merge fields. They are a new type of merge fields which are treated as block content in the editor editing area.
  • track-changes: Added [data-author-id] to suggestion and comment markers in editing for easier integration and styling.
  • ui: Introduced nested menu component for dropdowns. Closes #​6399. (commit)
  • ui: Added support for the balloon toolbar in the multi-root editor. Closes #​14803. (commit)
  • Allowed to configure the accessible editable area label via the config.label property. Closes #​15208, #​11863, #​9731. (commit)
Bug fixes
  • cloud-services: The refreshing mechanism (from the Token class) should retry after a failure to limit the chance of the user getting disconnected and data loss in real-time collaboration. (commit)
  • comments: The TrackChangesData#getDataWithAcceptedSuggestions() method will no longer throw errors when there are suggestions containing multi-range comments in tables.
  • document-outline: Editor no longer crashes during initialization when the TableOfContents and ImageBlock plugins are enabled. Closes ckeditor/ckeditor5#16915.
  • editor-classic: The widget toolbar no longer covers editor's sticky toolbar when scrolling. Closes #​15744. (commit)
  • editor-multi-root: The selection is no longer lost while clicking an editable containing only one block element. Closes #​16806. (commit)
  • engine: Prevent from editor crashes when trying to style a long paragraph. Closes #​16819. (commit)
  • html-support: The <hgroup> and <summary> elements should work with the source editing feature. Closes #​16947. (commit)
  • list: A to-do list should preserve the state of the checked items on the data load. Closes #​15602. (commit)
  • table: Changed default table and table cell properties to match the content styles. It fixes a problem with setting [border=none] on the table. Closes #​6841. ([commit](https://redirect.github.com/ckeditor/ckedi

Configuration

đź“… Schedule: Branch creation - "before 5am on wednesday" in timezone Europe/Vienna, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

đź‘» Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Jul 21 '23 08:07 renovate[bot]

@kesselb this one is for you :)

ChristophWurst avatar Jul 21 '23 08:07 ChristophWurst

https://github.com/ckeditor/ckeditor5/issues/14082

^ @jancborchardt @marcoambrosini @nimishavijay ckeditor will show a ckeditor logo with v38 and later. Would that be a problem for us design-wise?

ChristophWurst avatar Jul 21 '23 08:07 ChristophWurst

Where is this ckeditor used? :) And do we have control over how the logo is shown?

nimishavijay avatar Jul 21 '23 10:07 nimishavijay

CKEditor is the editor we use for the body of new emails. ~~I don't think we have direct control over where/how the logo shows but~~ we might be able to tweak that with css. Yet that's something we have to check with the license of the editor.

ChristophWurst avatar Jul 21 '23 10:07 ChristophWurst

And do we have control over how the logo is shown?

They provide a couple of customization options: https://ckeditor.com/docs/ckeditor5/latest/support/licensing/managing-ckeditor-logo.html#how-to-configure-the-layout-of-the-powered-by-ckeditor-logo

kesselb avatar Jul 21 '23 10:07 kesselb

Signature editor:

Screenshot from 2023-07-21 12-11-03

Composer view:

Screenshot from 2023-07-21 12-12-33

kesselb avatar Jul 21 '23 10:07 kesselb

As idea:

Hiding the label and changing position is possible.

ui: {
	poweredBy: {
		position: 'inside',
		side: 'right',
		label: null,
		verticalOffset: 2,
		horizontalOffset: 2
	}
}

image

image

kesselb avatar Jul 21 '23 10:07 kesselb

Screenshots by @kesselb look good to me. If possible we could link the image to their website/repo. @jancborchardt is this ok with you?

nimishavijay avatar Jul 21 '23 12:07 nimishavijay

Oh wow, that's sort of invasive and nerdy.

  • Is CKEditor not really open source, as in we can't hide the logo? (We can happily have a note of it in the bottom left settings.)
  • Do we have to link the logo? Bottom right is the best placement but I am worried about misclicks when sending.

jancborchardt avatar Aug 10 '23 09:08 jancborchardt

Is CKEditor not really open source, as in we can't hide the logo? (We can happily have a note of it in the bottom left settings.)

Technically, we can hide the logo.

I can't judge whether that's okay or not. The topic is also discussed at https://github.com/ckeditor/ckeditor5/issues/14082#issuecomment-1605287429 and https://github.com/ckeditor/ckeditor5/issues/14314.

Do we have to link the logo? Bottom right is the best placement but I am worried about misclicks when sending.

They don't provide an option to not generate a link.

image

I moved the send button to the left. Not much better.

Screencast from 2023-08-10 22-35-07.webm

That's super annoying. The logo is visible if you focus on the editor. I am uncertain if that was already the case for 38 or is new in 39.

kesselb avatar Aug 10 '23 20:08 kesselb

I also think that if it's open source we should hide the logo from the composer and add attribution in the app settings. Once those settings are moved to a settings dialog this could even be a small paragraph.

marcoambrosini avatar Aug 10 '23 23:08 marcoambrosini