CKEditor 5 has released a security update: https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1
The CKEditor team has determined that Drupal core is not affected by this vulnerability but we should upgrade anyway to avoid security scanners complaining.
Update CKEditor5 to v43.1.1 in all supported branches down to 10.2.x, if possible.
CKEditor 5 is updated to 43.1.1. This is a security release.
The CKEditor team has determined that Drupal core is not affected by this vulnerability but we upgraded anyway to avoid security scanners complaining.
Show commandsStart within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #4
spokjeLet's start this with an MR for 11.x only for now to see what breaks.
Comment #5
spokjeUnsure if this needs some manual testing before creating the back=port MRs, but I've run out of time for today anyway, so NR for now.
Comment #6
smustgrave commentedApplied locally for 11.x at least and didn't notice anything off.
Comment #7
spokjeAdded release note snippet.
Comment #8
spokjeComment #13
spokjeThanks @smustgrave.
Added backport MRs:
10.2.x: MR !9706
10.3.x: MR !9705
10.4.x: MR !9704
11.0.x: MR !9703
11.x: MR !9702
So this is where the fun starts...
We're making quite big bumps in 10.3.x and 10.2.x .
I remember that there were CKEditor5 bumps on the more current branches that needed to adjust tests to appease the new CKEditor5 versions.
Seems like, if we want to make this work, we need to backport these as well.
I'm a bit unsure if we want to go through that effort for older branches and need some guidance on that.
Besides that the spellcheck job on 11.0.x seems borked on the GitLab side:, I've hit the below error regarding artifact uploading 4 times now:
This might be a temporary thingy, so we might want to retry this a bit later.
Comment #14
spokjeBonus thought:
We might want to get #3477805: Update Webpack to 5.95.0 in first, that one is all green and might cause merge conflicts with this one.
Comment #15
spokjeComment #26
nod_Version 42.2.0 got out a few days ago but committing this since it's ready.
Comment #28
nod_seems like it broke a few things
Comment #30
spokjeIf this needs backporting to 10.2.x, it's also gonna need some JS-test-fixes backported.
Unsure if we want to go through that amount of trouble for a Security Release that doesn't affect us?
I'll leave that question for core committers to ponder about.
Comment #32
nod_and 10.3.x is not happy either I suspect the 10.3.x fix would fix 10.2.x too
Comment #33
catchIt looks like there's a version mismatch in the ckeditor5 alignment version on 11.0.x, see notes in #3479160: 11.0.x yarn dependencies have mushroomed.
Comment #34
xjmWe had previously discussed for this issue that we would not backport this update to 10.2 unless CKSource could provide us a non-standard release on the old major that 10.2 was using, because the changes in CKEditor 5 v41 that were released in Drupal 10.3 broke a number of contributed modules. So this should only be backported to 10.2 if it also comes with a backport to CKEditor 40.
Comment #36
xjmAdding @quietone to the credits since she also contributed to the ongoing RM discussions about this issue.
Comment #39
el7cosmosI updated tests for 10.3 per #3459926-14: Update CKEditor 5 to 42.0.0. I have pushed the changes but can't reopen the MR, should I create a new MR?
Comment #40
prudloff commentedComment #41
quietone commentedComment #42
longwaveLet's just close this out now, we aren't going to upgrade 10.3 any more, and CKEditor v45 is out which we will try to upgrade to for 11.2/10.5.