-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport CVE-2024-34341 to trix v1 #1150
Comments
I was coming here to post the same thing. I know Trix is a separate product from Rails but Rails' maintenance policy is currently set to support the 6.1, 7.0 and 7.1 series. I'm on the 7.0 series and the latest of that series is still bound to Trix v1. It's just a peer dependency so I did try actually using Trix 2 and got no problem after some quick testing. But I'm unsure what unintended consequences that might have. |
This is the problem for us, we can't upgrade to 7.1 and this is the warning we get:
I'm not confident in using |
There are no plans to backport the fix to 1.3, I'm afraid. The 1.3. dev environment doesn't even run on modern Mac hardware with Apple silicon, so it'd be hard for me to validate any changes. Also, we validate 2.x releases against our products, so we're reasonably confident that they work. Can't do that with a 1.3 release. I'm not sure why ActionText 7.0 has pinned the dependency on Trix to 1.3.x. The main change from 1.3 to 2.x was the decaffeination of the code base, and then we've done maintenance work and added a few features, but 2.x should be compatible with 1.3, unless you're reaching to Trix innards. Looking at the code in ActionText 7.0 I don't see anything that's incompatible with Trix 2. I think the best way to resolve this would be to relax the dependency on ActionText 7.0 so you can use Trix 2 there. |
Hi, thanks for your answer
You mean to relax the dependency in a custom fork? Also, I can't see a branch related to v1, is it safe to assume that a " |
The dependency is just a peer dependency so you don't need to use a custom fork. You can just specify Trix 2 in your package.json. It will issue the above warning you posted but if @afcapel is correct and v2 is 100% compatible (I guess Trix isn't using semantic versioning?) there should be no further harm. Sounds like he is also suggesting that Rails issue an update to ActionText on the v7.0 line that allows v2 of Trix to remove the warning. I'm going open up an issue over on the Rails repo to suggest that. |
Thanks, I can see 1.3.2 has been released with the fix. I gusse that now the advisory should be updated with the proper affected versions: GHSA-qjqp-xr96-cj99 |
I've updated the description in our repo's advisory, but I think Github needs to update the description on their end. |
Thanks,
|
Hello,
is there by any chance the possibility to backport the fix for CVE-2024-34341 to v1 and release a new version?
The text was updated successfully, but these errors were encountered: