Skip to content

Bump tinymce and @plone/mockup in /backend#57

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/backend/multi-ada64120c3
Open

Bump tinymce and @plone/mockup in /backend#57
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/backend/multi-ada64120c3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown

Bumps tinymce to 8.6.0 and updates ancestor dependency @plone/mockup. These dependencies need to be updated together.

Updates tinymce from 5.10.9 to 8.6.0

Changelog

Sourced from tinymce's changelog.

8.6.0 - 2026-06-03

Security

  • Updated DOMPurify version to 3.4.5. #TINY-14430

8.5.1 - 2026-05-19

Security

  • Fixed media plugin data-mce-object injection leading to stored XSS. #TINY-14357
  • Fixed stored XSS vulnerability through mce:protected comments. #TINY-14353
  • Fixed stored XSS vulnerability through data-mce- prefixed src, href, style attributes. #TINY-14333

8.5.0 - 2026-04-29

Added

  • New content_language option to set the lang attribute on the iframe's html element or the inline editor's target element. #TINY-11214

Improved

  • Improved visual styling of inline diff highlights in Suggested Edits and TinyMCE AI plugin. #TINY-13958

Fixed

  • Script and style elements would incorrectly be removed by DomPurify when considered valid in the schema. #TINY-9655
  • Iframe elements with children would incorrectly be removed by DomPurify. #TINY-9655
  • Certain combinations of divs inside of lists would cause issues turning off lists. #TINY-14070
  • Certain selections would delete the editor body, causing issues. #TINY-14149
  • URIs with non-Latin1 characters were returning an error. #TINY-13938
  • Alert and confirm dialogs were not announced properly by some screen readers. #TINY-13812

8.4.0 - 2026-03-31

Added

  • New view_show option to display a specified view on initialization. #TINY-11967
  • New errorHandler option for dropzone dialog components. #TINY-13420
  • The noneditable feature can now be disabled with the new allow_noneditable option. #TINY-10121
  • Editor option content_id for uniquely identifying the edited document. #TINY-13379
  • New table_default_header_rows and table_default_header_cols options to set the default header size for new tables #TINY-13391

Improved

  • The file upload feature of link and image dialogs now provide feedback when an unsupported file type is selected. #TINY-13420
  • Directionality buttons now only appear active when directionality is set on the selected block. #TINY-13337
  • Directionality buttons now always toggle the directionality attribute on selected blocks. #TINY-13337

Changed

  • The border-color style with multiple rgb colors would be compressed into border incorrectly #TINY-13393
  • Element Path now uses the ARIA-role "group" with an aria-label #TINY-13338

Fixed

  • Now link dialog allows uploading empty files. #TINY-13421
  • The link dialog now allows uploading empty files. #TINY-13421
  • Bundled content CSS is now loaded into preview iframes. #TINY-13190

... (truncated)

Commits
  • 855e368 TINY-14412: Stabilise changelog for 8.6 release
  • 15fb98d TINY-14412: Update version for 8.6.0 release
  • 9cd93d9 TINY-14430: Updated dompurify to 3.4.5 (#11120)
  • cdeb5c1 TINY-14224: Bump version for next patch release
  • 03573dd TINY-14224: Fix failing test for 8.5.1 patch release
  • e0d0804 TINY-14224: Lint fix for 8.5.1 patch release
  • c46e8ee TINY-14224: Add changelog for 8.5.1 patch release
  • 8da3e85 TINY-14357: Fixed data-mce-object injection (#18)
  • 3507b58 TINY-14353: Fixed stored XSS vulnerability through mce:protected comments (...
  • 19f56a7 TINY-14333: Fixed stored XSS vulnerability through data-mce- prefixed src...
  • Additional commits viewable in compare view

Updates @plone/mockup from 5.1.12 to 5.6.7

Release notes

Sourced from @​plone/mockup's releases.

Release 5.6.7

5.6.7 (2026-06-16)

Bug Fixes

  • modal: title extraction method (jquery removed .context) (f36a28e)

Maintenance

  • bundle: update release-it config for maintenance branch (8b30efd)

Release 5.6.4

5.6.4 (2026-05-18)

Maintenance

  • bundle: Upgrade dependecies. (949f8df)

Release 5.6.0

5.6.0 (2026-03-24)

Features

  • pat contentbrowser: Upgrade to Svelte 5 with runes support. (c48cf54)

  • pat datatables: Upgrade datatables.net (55984b0)

  • pat-contentbrowser: Show images in selected items without padding. (10fef83)

  • pat-navigationmarker: Add in-path-class and current-class parameters to customize the marker CSS classes. (83f3339)

  • pat-navigationmarker: Add support for navigate event. (418b0c5)

    Re-mark the navigation items when a location URL change has been happened resp. a event was triggered.

  • pat-navigationmarker: Also mark the anchor itself as current. (8c1e1cb)

  • pat-navigationmarker: Make the nav item wrapper configurable. (55060ba)

... (truncated)

Changelog

Sourced from @​plone/mockup's changelog.

5.6.7 (2026-06-16)

Bug Fixes

  • modal: title extraction method (jquery removed .context) (f36a28e)

Maintenance

  • bundle: update release-it config for maintenance branch (8b30efd)

5.6.6 (2026-06-08)

Bug Fixes

  • pat querystring: fix issue with the new select2 native events where e.val is undefined (cb83396)

5.6.5 (2026-06-08)

Features

  • pat-select2: Dispatch native blur event on select2 changes. (3290a6f)

    When Select2 looses focus a jQuery blur event is thrown. This is not catched by native JavaScript event handler. This is now fixed - a Select2 blur event also throws a native blur event on the original input or select element.

This aligns the behavior to pat-auto-suggest from @​patternslib/patternslib.

  • pat-select2: Dispatch native input event on select2 changes. (6d88723)

    When a selection change was done in pat-select2, the Select2 library was only firing a jQuery change event which was never caught by native JavaScript event handlers. This is now fixed - on a Select2 change event a native JavaScript input event is fired. The input event is used as it is the better choice. The native change event has some limitations and is historically not fired on each value change.

This aligns the behavior to pat-auto-suggest from @​patternslib/patternslib.

Bug Fixes

... (truncated)

Commits
  • 2d546c0 Release new version.
  • 8b30efd maint(bundle): update release-it config for maintenance branch
  • 92bddbb Merge tag 5.6.6 into 5.6.x
  • b348e99 Merge pull request #1606 from plone/modal-fix-image-title-extraction
  • f36a28e fix(modal): title extraction method (jquery removed .context)
  • 44e54fd Release new version.
  • f53c36d Merge pull request #1603 from plone/querystring-select2-fix
  • cb83396 fix(pat querystring): fix issue with the new select2 native events where `e.v...
  • 8c201cf add plone.staticresources to checkouts.cfg (mxcheckouts.ini gets generated du...
  • d382645 fixing coredev robottests
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [tinymce](https://github.com/tinymce/tinymce/tree/HEAD/modules/tinymce) to 8.6.0 and updates ancestor dependency [@plone/mockup](https://github.com/plone/mockup). These dependencies need to be updated together.


Updates `tinymce` from 5.10.9 to 8.6.0
- [Changelog](https://github.com/tinymce/tinymce/blob/main/modules/tinymce/CHANGELOG.md)
- [Commits](https://github.com/tinymce/tinymce/commits/8.6.0/modules/tinymce)

Updates `@plone/mockup` from 5.1.12 to 5.6.7
- [Release notes](https://github.com/plone/mockup/releases)
- [Changelog](https://github.com/plone/mockup/blob/5.6.7/CHANGES.md)
- [Commits](plone/mockup@5.1.12...5.6.7)

---
updated-dependencies:
- dependency-name: tinymce
  dependency-version: 8.6.0
  dependency-type: indirect
- dependency-name: "@plone/mockup"
  dependency-version: 5.6.7
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants