refactor!: New installation method via ckeditor-package-tools 2.1.0#1
Merged
jamieconnelly merged 2 commits intomainfrom Oct 18, 2024
Merged
refactor!: New installation method via ckeditor-package-tools 2.1.0#1jamieconnelly merged 2 commits intomainfrom
ckeditor-package-tools 2.1.0#1jamieconnelly merged 2 commits intomainfrom
Conversation
jamieconnelly
force-pushed
the
new-installation-method
branch
from
6b401fc to
1420814
Compare
tony
added a commit
that referenced
this pull request
Feb 10, 2026
Resolves [LOB-1522](https://linear.app/multiverse-io/issue/LOB-1522/ckeditor5-math-patch-vulnerabilities). ## Summary - Patches all 14 open Dependabot alerts via yarn resolutions - Reduced total `yarn audit` findings from 65 to 7 - Remaining 7 audit findings (babel-traverse, ajv, esbuild, postcss) were [already dismissed in Dependabot](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot?q=is%3Aclosed) in Feb 2025 - Additionally dismissed [glob isaul32#32](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/32) (`not_used` — CLI-only vuln, library API consumers unaffected) - 11 atomic commits, one per vulnerable package (or batch) ## Vulnerabilities Addressed ### High Severity (3 patched) | Package | From | To | CVEs | GHSA | Alert | |---------|------|----|------|------|-------| | qs | 6.13.0 | 6.14.1 | CVE-2025-15284 | GHSA-6rw7-vpxm-498p | [isaul32#36](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/36) | | cross-spawn | 7.0.3 | 7.0.6 | CVE-2024-21538 | GHSA-3xgq-45jj-v275 | — (audit) | | node-forge | 1.3.1 | 1.3.3 | CVE-2025-12816 | GHSA-5gfm-wpxj-wjgq | [isaul32#33](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/33) | ### Medium Severity (7 patched) | Package | From | To | CVEs | GHSA | Alert | |---------|------|----|------|------|-------| | lodash / lodash-es | 4.17.21 | 4.17.23 | CVE-2025-13465 | GHSA-xxjr-mmjv-4gpg | [isaul32#42](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/42), [isaul32#41](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/41) | | node-forge | 1.3.1 | 1.3.3 | CVE-2025-66030, CVE-2025-66031 | GHSA-65ch-62r8-g69g, GHSA-554w-wpv2-vw27 | [isaul32#35](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/35) | | js-yaml | 3.13.1/3.14.1 | 4.1.1 | CVE-2025-64718 | GHSA-mh29-5h37-fv8m | [isaul32#31](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/31), [isaul32#30](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/30) | | webpack-dev-server | 5.1.0 | 5.2.3 | CVE-2025-30360, CVE-2025-30359 | GHSA-9jgg-88mc-972h, GHSA-4v9v-hfq4-rm2v | [isaul32#24](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/24), [isaul32#23](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/23) | | http-proxy-middleware | 2.0.7 | 3.0.5 | CVE-2025-32996 | GHSA-4www-5p9h-95mh | [isaul32#22](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/22) | | @babel/helpers | 7.25.7 | 7.28.6 | CVE-2025-27789 | GHSA-968p-4wvh-cqc8 | — (audit) | ### Low Severity (6 patched) | Package | From | To | CVEs | GHSA | Alert | |---------|------|----|------|------|-------| | webpack | 5.95.0 | 5.105.0 | CVE-2025-68458, CVE-2025-68157 | GHSA-8fgc-7cc6-rx7x, GHSA-38r7-794h-5758 | [isaul32#52](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/52), [isaul32#51](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/51) | | tmp | 0.2.3 | 0.2.5 | CVE-2025-54798 | GHSA-52f5-9888-hmc6 | [isaul32#27](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/27) | | on-headers | 1.0.2 | 1.1.0 | CVE-2025-7339 | GHSA-76c9-3jph-rj3q | [isaul32#26](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/26) | | debug | 3.2.6 | 4.4.3 | CVE-2017-16137 | GHSA-gxpj-cx7g-858c | — (audit) | | brace-expansion | 1.1.11 | >=2.0.2 | CVE-2025-5889 | GHSA-v6h2-p8h4-qcjw | — (audit) | | diff | 4.0.2/3.5.0 | 8.0.3 | CVE-2026-24001 | GHSA-73rr-hh4g-fpgx | — (audit) | | minimatch | 3.0.4/3.1.2 | 10.1.2 | CVE-2022-3517 | GHSA-f8q6-p94x-37v3 | — (audit) | ## Remaining `yarn audit` Findings (7, all previously dismissed in Dependabot) | Package | Version | Dependabot | Dismissed | Reason | |---------|---------|------------|-----------|--------| | babel-traverse | 6.26.0 | [#8](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/8) | 2025-02-20 | `not_used` — Istanbul test coverage tooling, code we trust | | ajv | 5.5.2 | [#1](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/1) | 2025-02-20 | `tolerable_risk` — Theoretical proto pollution via crafted JSON schema in local toolchain | | esbuild | 0.17.19 (×2) | [isaul32#19](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/19) | 2025-02-20 | `not_used` — Dev server not exposed to public internet | | postcss | 7.0.39 (×2) | [#5](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/5) | 2025-02-20 | `tolerable_risk` — Stylelint/ckeditor dev tooling, no external untrusted CSS | | glob | 7.2.3 | [isaul32#32](https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/32) | 2026-02-09 | `not_used` — CLI-only vuln, all consumers use library API | ## Changes - 11 atomic commits, one per vulnerable package or batch - All changes are in `package.json` (resolutions) and `yarn.lock` - No source code changes ## Test Plan - [x] `yarn install --frozen-lockfile` succeeds - [x] `yarn lint` passes - [ ] No test suite available for this repo (not in CI) ## Related - Linear: [LOB-1522](https://linear.app/multiverse-io/issue/LOB-1522/ckeditor5-math-patch-vulnerabilities)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Mirror of isaul32#151 credit to @tony
Shortcut
https://app.shortcut.com/multiverse/story/75123/ckeditor-update-ckeditor-to-the-latest-version
New installation method
ckeditor5-package-tools2.1.0Appendix