fix(deps): update dependency tinymce to v7.2.1 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tinymce (source)	7.2.0 -> 7.2.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-29881

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload.

Fix

TinyMCE 6.8.1 introduced a new convert_unsafe_embeds option to automatically convert object and embed elements respective of their type attribute. From TinyMCE 7.0.0 onwards, the convert_unsafe_embeds option is enabled by default.

Workarounds

If you are using TinyMCE 6.8.1 or higher, set convert_unsafe_embeds to true. For any earlier versions, a custom NodeFilter is recommended to remove or modify any object or embed elements. This can be added using the editor.parser.addNodeFilter and editor.serializer.addNodeFilter APIs.

Acknowledgements

Tiny Technologies would like to thank Toni Huttunen of Fraktal Oy for discovering this vulnerability.

References

• TinyMCE 6.8.1
• TinyMCE 7.0.0

CVE-2024-38356

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.

Patches

This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the noneditable_regexp option, any content within an attribute is properly verified to match the configured regular expression before being added.

Fix

To avoid this vulnerability:

• Upgrade to TinyMCE 7.2.0 or higher.
• Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
• Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

References

• TinyMCE 6.8.4
• TinyMCE 7.2.0

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]
• Open an issue in the TinyMCE repo

CVE-2024-38357

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor.

Patches

This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed.

Fix

To avoid this vulnerability:

• Upgrade to TinyMCE 7.2.0 or higher.
• Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
• Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

Acknowledgements

Tiny thanks Malav Khatri and another reporter for their help identifying this vulnerability.

References

• TinyMCE 6.8.4
• TinyMCE 7.2.0

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]
• Open an issue in the TinyMCE repo

---

Release Notes

tinymce/tinymce (tinymce)

v7.2.1

Compare Source

Fixed

• Text content could move unexpectedly when deleting a paragraph. #TINY-10590
• Cursor would shift to the start of the editor body when focus was shifted to a noneditable cell of a table. #TINY-10127
• Long translations of the bottom help text would cause minor graphical issues. #TINY-10961
• Open Link button was disabled when selection partially covered a link or when multiple links were selected. #TINY-11009

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: react-front-end/package-lock.json

npm WARN skipping integrity check for git dependency ssh://[email protected]/apereo/openEQUELLA-cloudprovidersdk.git 
npm WARN deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm ERR! code 127
npm ERR! path /tmp/renovate/repos/github/openequella/openEQUELLA/oeq-ts-rest-api
npm ERR! command failed
npm ERR! command sh -c -- cd gen-io-ts && npm ci && npm run gen && cd -
npm ERR! added 70 packages, and audited 71 packages in 5s
npm ERR! 
npm ERR! 2 vulnerabilities (1 moderate, 1 high)
npm ERR! 
npm ERR! To address all issues, run:
npm ERR!   npm audit fix
npm ERR! 
npm ERR! Run `npm audit` for details.
npm ERR! 
npm ERR! > [email protected] gen
npm ERR! > ts-node src/index.ts --source ../src --dest ../src/gen  && eslint --fix ../src
npm ERR! 
npm ERR! Searching TS files from directory: /tmp/renovate/repos/github/openequella/openEQUELLA/oeq-ts-rest-api/src
npm ERR! Searching TS files from directory: /tmp/renovate/repos/github/openequella/openEQUELLA/oeq-ts-rest-api/src/fp-ts-ord
npm ERR! Searching TS files from directory: /tmp/renovate/repos/github/openequella/openEQUELLA/oeq-ts-rest-api/src/gen
npm ERR! Writing codec content to Acl.ts...
npm ERR! Writing codec content to AdvancedSearch.ts...
npm ERR! Writing codec content to BatchOperationResponse.ts...
npm ERR! Writing codec content to BrowseHierarchy.ts...
npm ERR! Writing codec content to Collection.ts...
npm ERR! Writing codec content to Common.ts...
npm ERR! Writing codec content to Drm.ts...
npm ERR! Writing codec content to Errors.ts...
npm ERR! Writing codec content to FacetedSearchSettings.ts...
npm ERR! Writing codec content to Favourite.ts...
npm ERR! Writing codec content to Hierarchy.ts...
npm ERR! Writing codec content to LegacyContent.ts...
npm ERR! Writing codec content to LtiPlatform.ts...
npm ERR! Writing codec content to MimeType.ts...
npm ERR! Writing codec content to Schema.ts...
npm ERR! Writing codec content to Search.ts...
npm ERR! Writing codec content to SearchFacets.ts...
npm ERR! Writing codec content to SearchFilterSettings.ts...
npm ERR! Writing codec content to SearchSettings.ts...
npm ERR! Writing codec content to Security.ts...
npm ERR! Writing codec content to Settings.ts...
npm ERR! Writing codec content to Taxonomy.ts...
npm ERR! Writing codec content to Theme.ts...
npm ERR! Writing codec content to UserQuery.ts...
npm ERR! Writing codec content to WizardCommonTypes.ts...
npm ERR! Writing codec content to WizardControl.ts...
npm ERR! sh: 1: eslint: not found

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-09-25T14_46_13_620Z-debug-0.log