react-quill icon indicating copy to clipboard operation
react-quill copied to clipboard

Published 20 hours ago verified publisher icon zenoamaro

Upgrade Quill Dependency to 2.0.0-rc.4

Open Repugraf opened this issue 10 months ago • 6 comments

This PR updates the quill dependency in react-quill from an outdated version (1.3.7) to the latest release candidate, 2.0.0-rc.4. The previous major version of Quill has not been updated for over five years and includes several security vulnerabilities that have been resolved in version 2.0.

Screenshot 2024-04-04 at 15 15 46

Key Changes

  • Version Upgrade: The upgrade to Quill 2.0.0-rc.4 addresses critical security concerns, ensuring a safer and more reliable library for our users.
  • Enhanced Security: The new version includes patches for vulnerabilities identified in the earlier releases, significantly improving the overall security posture of applications using react-quill.
  • Future-Proofing: By staying current with Quill's latest versions, we ensure compatibility with future updates and maintain the robustness of react-quill.

Repugraf avatar Apr 04 '24 12:04 Repugraf

You forgot to update the yarn lock file. Also, Quill 2.0.0-rc.5 is out, so might as well bump it.

Do note that 2 other PRs have been created in the last few years attempting this same upgrade, but neither were merged: #507 and #711.

It's also worth noting that QuillJS v1.3.7 relies on the browser mutation events, which is deprecated and will be removed from Chrome in July 2024. This means react-quill as is today will not work on Chrome without this change after July 23, 2024. See https://developer.chrome.com/blog/mutation-events-deprecation

The last time we heard from one of the maintainers of react-quill regarding this was in November of 2023: https://github.com/zenoamaro/react-quill/issues/914#issuecomment-1816894067

adgoncal avatar Apr 09 '24 20:04 adgoncal

It looks like Quill 2.0 has been officially released. I think this PR will also need to support Quill 2.0. Is it okay if I create a new Pull Request that is compatible with the new Quill 2.0?

piesuke avatar Apr 19 '24 06:04 piesuke

Hello. Any updates on when this will be merged? Would like to address the DomNodeInserted deprecation message..

mparisi76 avatar May 20 '24 10:05 mparisi76

Hey there, when will this get merged ?

dextel2 avatar May 29 '24 09:05 dextel2

I would like to know as well.

HiroakiLion avatar Jun 07 '24 13:06 HiroakiLion

My (limited) understanding is that this would include the same breaking changes for react-quill user's as detailed on https://quilljs.com/docs/upgrading-to-2-0 right?

If so, it would probably be wise to add a call-out in the readme && changelog to the relevant document

yuri-scarbaci-lenio avatar Sep 20 '24 14:09 yuri-scarbaci-lenio