Build(deps): [Security] Bump @ckeditor/ckeditor5-markdown-gfm from 16.0.0 to 27.1.0

[dependabot-preview]

Bumps @ckeditor/ckeditor5-markdown-gfm from 16.0.0 to 27.1.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Regular expression Denial of Service in multiple packages

Impact

A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0.

Patches

The problem has been recognized and patched. The fix will be available in version 27.0.0.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 5 team would like to thank Yeting Li for recognizing and reporting these vulnerabilities.

Affected versions: <= 26.0.0

Sourced from The GitHub Security Advisory Database.

Regular expression Denial of Service in Markdown plugin

Impact

A regex denial of service (ReDoS) vulnerability has been discovered in CKEditor 5 Markdown plugin code. The vulnerability allowed to abuse link recognition regular expression, which could cause a significant performance drop resulting in browser tab freeze. It affects all users using CKEditor 5 Markdown plugin at version <= 24.0.0.

Patches

The problem has been recognized and patched. The fix will be available in version 25.0.0.

Workarounds

A user could workaround the issue by:

• Upgrading CKEditor 5 to version 25.0.0.
• Disabling the Markdown plugin.

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]

Acknowledgements

CKEditor 5 team would like to thank Erik Krogh Kristensen from GitHub team for recognizing this vulnerability and Alvaro Muñoz from GitHub team for reporting it.

Affected versions: <= 24.0.0

Release notes

Sourced from @ckeditor/ckeditor5-markdown-gfm's releases.

v27.1.0

Release highlights

We are happy to announce the release of CKEditor 5 v27.1.0.

This release introduces some new features:

• Support for nested tables.
• Support for nested block quotes.
• Content with the deprecated align attribute can now be loaded into the editor (but will be transformed to a modern format).

There were also a few bug fixes:

• The empty value in the configuration (config.initialData) will have precedence over a non-empty DOM element when creating the editor.
• The watchdog feature does not import CKEditor 5 utilities to avoid code duplication in external framework integrations.
• Dragging the entire table cell is no longer possible.
• The selection will no longer get stuck in read-only mode.
• Attributes that have already been set are no longer overridden while setting attributes upon upcast conversion, as this caused text styles to not be properly converted.

MINOR BREAKING CHANGES ℹ️

• engine: Added the new useFillerType() method in the DataProcessor interface. Classes based on this interface should implement useFillerType() to avoid errors.
• upload: The asynchronous SimpleUploadAdapter#upload() method resolves to an object with normalized data including the urls object, which was only returned before. This may affect all integrations depending on the SimpleUploadAdapter uploading mechanism.

Features

• alignment: Added support for the deprecated align attribute. Closes #9193. (commit)
• block-quote: Added support for nested block quotes. Check the migration guide if you want to disable this behavior and disallow nesting quotes. Closes #9210. (commit)
• engine: Introduced new "markedNbsp" block filler mode in DomConverter, in which <span data-cke-filler="true">&nbsp;</span> is inserted, to prevent leaking extra space characters into the data. (commit)
• engine: Introduced useFillerType() in HtmlDataProcessor and XmlDataProcessor to switch between using marked and regular nbsp block fillers. Closes #9345. (commit)
• engine: Enabled marker downcast for document fragments. Closes #9460. (commit)
• image: Introduced the uploadComplete event in ImageUploadEditing that allows customizing the image element (e.g. setting custom attributes) based on the data retrieved from the upload adapter. Closes #5204. (commit)
• media-embed: Introduced the config.mediaEmbed.elementName to allow setting semantic element name. Closes #9373. (commit)
• table: Added support for nested tables. Check the migration guide if you want to disable this behavior and disallow nesting tables. Closes #3232. (commit)
• upload: The upload adapters' asynchronous #upload() method resolves to an object with additional properties along with the urls hash. See more in #5204. (commit)

Bug fixes

• clipboard: The selection was stuck and impossible to change in read-only mode. Closes #9372. (commit)
• clipboard: The nested editable element should not be dragged. Closes #9370. (commit)
• code-block: Markers created in or on code block element are now preserved after the document is loaded. Closes #9402. (commit)
• core: The MultiCommand.execute() method prevents calling undefined commands. (commit)
• engine: While setting attributes upon upcast conversion, do not override attributes that have already been set. The correct behavior is to keep the attributes applied by the deepest nodes in the view tree as, in most cases, the deepest node will have precedence (e.g. an inline style applied by the deepest node). Closes #8921. (commit)
• track-changes: Accepting multiple "turn on/off list item" suggestions (created by multiple users) that should cause the same effect will have a correct result now.
• watchdog: Removed imports from the ckeditor5 package. Closes #9315. (commit)
• widget: Hide the selection handler in the nested widget if the outer widget is hovered or selected. Closes #9453, #8964. (commit)
• The editor was not initialized with the empty data for config.initialData set to an empty string. Closes #8974. (commit)

... (truncated)

Changelog

Sourced from @ckeditor/ckeditor5-markdown-gfm's changelog.

Changelog

All changes in the package are documented in the main repository. See: https://github.com/ckeditor/ckeditor5/blob/master/CHANGELOG.md.

Changes for the past releases are available below.

19.0.0 (2020-04-29)

Internal changes only (updated dependencies, documentation, etc.).

18.0.0 (2020-03-19)

MAJOR BREAKING CHANGES

• The GFMDataProcessor() requires the view document instance as its first parameter.

Other changes

• Adjusted the data processor implementation to changes in ckeditor5-engine. See ckeditor/ckeditor5#6091. (ce2cc01)

17.0.0 (2020-02-19)

Internal changes only (updated dependencies, documentation, etc.).

Commits

• 6e44d34 Release: v27.1.0.
• d24c7bf Internal: Updated dependencies. [skip ci]
• 5217b30 Merge pull request #9357 from ckeditor/i/9345
• 93b106b Added DataProcessor#useFillerType(). Added GFMDataProcessor#useFillerType().
• bf30aaa Release: v27.0.0.
• 171b24a Internal: Updated dependencies. [skip ci]
• bf1908c Docs: markdown update.
• f876ca4 Limited the TLD length
• bf692af Fixed domain matcher
• e36175e Improved handling of repeating characters
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #276.