[Snyk] Upgrade ckeditor5 from 44.1.0 to 44.3.0 #4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snyk has created this PR to upgrade ckeditor5 from 44.1.0 to 44.3.0. See this package in npm: ckeditor5 See this project in Snyk: https://app.snyk.io/org/simong2/project/471ca37a-0d74-4bbe-aaa8-d44a04f8bd39?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade ckeditor5 from 44.1.0 to 44.3.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 29 versions ahead of your current version.
The recommended version was released 25 days ago.
Release notes
Package name: ckeditor5
We are happy to announce the release of CKEditor 5 v44.3.0.
Release Highlights
This release brings a couple of minor improvements and bug fixes:
relattribute. The fix happened so deep in the engine that we improved the overall performance of the editor slightly as well.EmptyBlockplugin: From now on, new plugin prevents adding to the output data of blocks, works similarly to thefillEmptyBlocksconfiguration in CKEditor 4.<hr>element in the General HTML Support plugin enhanced: attributes of the<hr>element are now properly preserved if configuration allows it.For more details, see the changelog below.
MINOR BREAKING CHANGES ℹ️
ViewConsumable.consumablesFromElement()is removed and replaced with theview.Element#_getConsumables()internal method. You should useViewConsumable.createFrom()to create consumables if needed.ViewElementConsumablesnow accepts and outputs only normalized data. TheViewConsumablestill accepts normalized or non-normalized input.Matcher#match()andMatcher#matchAll()output is now normalized. TheMatchResult#matchnow contains normalized data compatible with changes in theViewConsumable.Features
SchemaContextclass from package. Closes #18003. (commit)<hr>element. Closes #12973. (commit)EmptyBlockplugin that prevents adding to output data. (commit)Bug fixes
[rel]attribute will now allow mixing manual link decorators for the same attribute, as it will be now handled as a token list. Closes #13985, Closes #6436. (commit)<span>when GHS is enabled. Closes #15329. (commit)Other changes
viewToPlainText()function. Closes #17950. (commit)config.users.getInitialsCallback. It allows providing a custom callback function for user initials generation.emoji.useCustomFontoption to disable the filtering mechanism. Closes #18029. (commit) ) are ignored while loading editor data. (commit)Released packages
Check out the Versioning policy guide for more information.
Released packages (summary)
Minor releases (contain minor breaking changes):
Releases containing new features:
Other releases:
We are happy to announce the release of CKEditor 5 v44.2.1.
During a recent internal audit, we identified a cross-site scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration package (
CVE-2025-25299). This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users' positions within the document.This vulnerability affects only installations with real-time collaborative editing enabled.
You can read more details in the relevant security advisory and contact us if you have more questions.
Bug fixes
Other changes
Released packages
Check out the Versioning policy guide for more information.
Released packages (summary)
Other releases:
We are happy to announce the release of CKEditor 5 v44.2.0.
Release Highlights
🖥️ Enhanced Source Code Editing (⭐)
Introducing new premium feature: Enhanced Source Code Editing. It displays the source code in a dialog and is compatible with all editor types. It offers syntax highlighting, code completion, code folding, and other advanced functionalities. Additionally, it supports both HTML and Markdown formats.
📤 Uploadcare and image optimizer (⭐)
We have integrated the Uploadcare image manager service, enabling you to upload and edit images to their cloud environment. You can upload files from various sources, including local devices, social media, or online drives ensuring rapid uploads. The integration takes care of efficient media delivery with responsive images mechanism, making sure your users will save bandwidth and have faster website loading. You can also optimize images with the built-in image editor which offers a range of features, such as cropping, rotating, flipping, photo filters and more. All this directly from the editor, try it out!
🖼️ Image Merge Fields (⭐)
Image merge fields are a new type of merge fields, dedicated for image placeholders. They maintain all standard image interactions, like styling, resizing or captions (in which you can use merge fields too!) At the same time, they keep all merge fields functionalities, like data previews or document export integration. In the document data, image merge fields are represented like other images, however their
srcattribute is set to a respective merge field, for example,src="{{CompanyLogo}}", making them easy to post-process!📝 Track Changes Preview (⭐)
We have added the preview mode that displays a document with all suggestions accepted. Accessible from the track changes dropdown, this modal preview helps check the final content without extensive markers.
😀 Emoji support
They are here! 🎉 🥳 🎊 Insert emojis effortlessly in the editor by typing
:or through a user-friendly emoji picker. This feature enhances the richness of your content by allowing quick access to a wide range of emojis.⚡ Performance improvements: Part 4
Here comes the final batch of the planned performance improvements in the editor loading speed area, that we worked on through a couple of past releases.
Mappernow handles model-to-view mappings, substantially improving performance for loading and saving data.[loading="lazy"]in the editing area, optimizing the loading time (read more on MDN). This attribute is only applied during editing to enhance the loading efficiency of images, and it does not reflect in the final data output.We are greatly satisfied with the improved editor loading times. At the same time, we acknowledge some other problematic areas, and we will keep delivering more performance-related improvements in the future.
MINOR BREAKING CHANGES ℹ️
Mapper#registerViewToModelLength()is now deprecated and will be removed in one of the upcoming releases. This method is useful only in obscure and complex converters, where model element, or a group of model elements, are represented very differently in the view. We believe that every feature using a custom view-to-model length callback can be rewritten in a way that this mechanism is no longer necessary. Note: if this method is used, the caching mechanism forMapperwill be turned off which may degrade performance when handling big documents. Note: this method is used by the deprecated legacy lists feature. As a result, you will not experience the performance improvements if you are still using the deprecated legacy lists feature.[height]and[width]attributes set will automatically receive the[loading="lazy"]attribute in the editing area. This happens only for the content loaded into the editor, the data output produced by the editor remains the same. The reason for this change is to improve user experience in documents that may contain hundreds of images.lower-alphaandupper-alphalist styles are now upcasted tolower-latinandupper-latinstyles.MergeFieldsEditing#getLabel()method will now returnnullinstead of the merge field id if the merge field definition was not found or it did not contain thelabelproperty.[style]attribute withword-wrap: break-wordwill not be converted to<code>. See #17789.Features
ai.aiAssistant.preserveCommentsflag. Note, that the actual result depends on the response provided by the AI model (AI model has to keep the comments markup in the response). Additionally, the copy-paste comments functionality must be enabled (configured bycomments.copyMarkers).ai.aiAssistant.removeCommandsconfiguration now allows removing entire command groups.viewToPlainText()helper will now parse the viewRawElementinstances. Closes #17746. (commit)InsertImageCommandwith thebreakBlockflag. Closes #17742. (commit)lower-alphaandupper-alphalist type highlighting in the list style properties buttons. Closes #17424. (commit)[data-merge-field-name]attribute in the editing pipeline.$labels..ck-with-instant-tooltipclass may now be used to display the tooltip without the delay. Closes #17743. (commit)SimpleUploadConfig#headersproperty. Closes #15693. (commit)collectStylesheets()helper function to retrieve style sheets from the provided URLs. (commit)Bug fixes
Codefeature should not convert element with theword-wrap: break-wordstyle into the<code>tag. Closes #17789. (commit)cloudServices.tokenUrlmethod failed in the initialization of the plugin. Closes #17531. (commit)Contextmechanism.ClassicEditorUIViewfrom package. (commit)<th>cells followingcolspanrows. Closes #17556, #17404. (commit)