Build(deps): [Security] Bump @ckeditor/ckeditor5-widget from 16.0.0 to 28.0.0

[dependabot-preview]

Bumps @ckeditor/ckeditor5-widget from 16.0.0 to 28.0.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Regular expression Denial of Service in multiple packages

Impact

A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0.

Patches

The problem has been recognized and patched. The fix will be available in version 27.0.0.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 5 team would like to thank Yeting Li for recognizing and reporting these vulnerabilities.

Affected versions: <= 26.0.0

Release notes

Sourced from @​ckeditor/ckeditor5-widget's releases.

v28.0.0

Release highlights

We are happy to announce the release of CKEditor 5 v28.0.0.

This release introduces several new features:

• The Revision History feature, that allows the users to create, view and restore named content versions.
• The possibility to add captions to tables.
• The ability to specify the default properties for tables and table cells.
• The new allowChildren property for the data schema item definition.
• The Export to PDF and Export to Word features are now enabled in the read-only mode.
• Introducing the plugin metadata and documenting the HTML output of all editor features.

There were also a few bug fixes:

• Word can now properly open a file with nested tables exported from CKEditor 5.
• Pasting in the horizontal caret no longer replaces the widget.
• Correcting spelling in a list does not throw an error anymore.
• Toolbar navigation with the keyboard works in the right direction in an RTL text.
• The media embed supports whichever URL scheme for Google Maps.

MAJOR BREAKING CHANGES

Note: Check out the Migration to CKEditor 5 v28.0.0 guide for more detailed information on how to upgrade to the current version.

• All the packages use multiple exports instead of the one object in the src/index.js file. The list of affected packages.

MINOR BREAKING CHANGES ℹ️

• engine: Styles definitions for the border:* property produced by the StylesProcessor will now be merged as a single border:* property if all its properties (width, style, and color) for all edges (top, right, bottom, left) are the same.
• table: The TablePropertiesView and TableCellPropertiesView classes require additional property in the object as the second constructor argument (options.defaultTableProperties for the table and options.defaultTableCellProperties for table cells).
• table: The upcastBorderStyles() conversion helper requires a third argument called defaultBorder. The object defines the default border (width, color, style) properties.
• table: The following conversion helpers: upcastStyleToAttribute(), downcastAttributeToStyle(), downcastTableAttribute() accept two arguments now (the conversion and the options objects). Previous usage: conversionHelper( conversion, /* ... */ ) should be replaced with conversionHelper( conversion, { /* ... */ } ).
• table: Values for the borderColor, borderStyle, borderWidth, and padding model attributes are unified (to values produced by the editor itself) while upcasting the table or table cells if all sides (top, right, bottom, and left) have the same values. Previously, the <table style="border: 1px solid #ff0"> element was upcasted to <table borderStyle="{"top":"solid","right":"solid","bottom":"solid","left":"solid"}" borderColor="{...}" borderWidth="{...}">. Now the object will be replaced with the string value: <table borderStyle="solid" borderColor="#ff0" borderWidth="1px">. The same structure is created when using the editor's toolbar. If border values are not identical, the object notation will be inserted into the model (as it is now).
• table: The following classes require the second argument called defaultValue which is the default value for the command:
  • TableCellHorizontalAlignmentCommand,
  • TableCellVerticalAlignmentCommand,
  • TableCellBackgroundColorCommand,
  • TableCellBorderColorCommand,
  • TableCellBorderStyleCommand,
  • TableCellBorderWidthCommand,
  • TableCellHeightCommand,
  • TableCellPropertyCommand,
  • TableCellWidthCommand,
  • TableCellPaddingCommand,
  • TableAlignmentCommand,
  • TableBackgroundColorCommand,

... (truncated)

Changelog

Sourced from @​ckeditor/ckeditor5-widget's changelog.

Changelog

All changes in the package are documented in the main repository. See: https://github.com/ckeditor/ckeditor5/blob/master/CHANGELOG.md.

Changes for the past releases are available below.

19.0.0 (2020-04-29)

MINOR BREAKING CHANGES

• Make sure the latest version of the Essentials plugin or the SelectAll plugin is installed in your integration. Either is required for proper keystroke handling in editor widgets.

Bug fixes

• Image resize now cleans up temporary view width style changes. Closes ckeditor/ckeditor5#6060. (92226f9)

Other changes

• Moved the Ctrl+A keystroke handling in widgets to the SelectAll plugin (see ckeditor/ckeditor5#6536). (57eb263)
• Updated translations. (79d1a21)

18.0.0 (2020-03-19)

Internal changes only (updated dependencies, documentation, etc.).

17.0.0 (2020-02-19)

MINOR BREAKING CHANGES

• Resizer options object now also takes an editor instance.

Features

• Introduced API to temporarily disable the WidgetToolbarRepository plugin (prevent the toolbar from showing up). Closes ckeditor/ckeditor5#5964. (b9cf062)

Bug fixes

• Fixed image resize behavior upon short clicking a handle without dragging. Image will no longer became full width, nor will it briefly flash an unexpected size. Closes ckeditor/ckeditor5#5189. Closes ckeditor/ckeditor5#5195. (d6a5c93)

Other changes

• Align code to changes in Plugin API. (81bb636)
• Updated translations. (75b8c83)

Commits

• e670349 Release: v28.0.0.
• 182dda1 Internal: Updated dependencies. [skip ci]
• ed70b6f Other: Updated translations. [skip ci]
• b4b2db7 Fixed a memory leak.
• 60e1ef5 Merge branch 'stable'
• 6e44d34 Release: v27.1.0.
• d24c7bf Internal: Updated dependencies. [skip ci]
• 6a37ecc Merge pull request #9428 from ckeditor/i/9261
• 0b0f296 Docs.
• 3958290 Widget type around should disable model.deleteContent while the fake caret is...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)