New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Supported Rails Versions for Trix v2 for CVE-2024-34341 #51778
Comments
eric-hemasystems
changed the title
Update Supported Rails Versions to Trix v2 for CVE-2024-34341
Update Supported Rails Versions for Trix v2 for CVE-2024-34341
May 10, 2024
Thanks for raising, @eric-hemasystems. We'll backport to Trix 1.3.x in accordance with Rails' maintenance policy. |
I've just released Trix v1.3.2 with the backported patch. |
Rails versions also where released https://rubyonrails.org/2024/5/17/Rails-Versions-7-0-8-2-and-7-1-3-3-have-been-released |
I haven't look into this myself but looks like there is a report of an issue with that release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Trix recently issued CVE-2024-34341 but they have indicated they are not interested in back-porting it to v1.
Supported versions of Rails prior to the 7.1.x series are currently tied to Trix v1. This means if someone follow those version restrictions on supported versions of Rails prior to 7.1 have an unpatched CVE.
ActionText only has it as a peer dependency so you can update to v2 and just ignore the warning. But I'm unsure of unintended consequences of that due to the warning. On the Trix project, they indicate ActionText is not using anything that would be incompatible with v2 and it only moved to v2 because of the change in language. My own personal testing also confirmed no problems upgrading to v2.
I was wondering if it was possible to update all supported versions of Rails allow Trix v2 to better indicate running Trix v2 will work on all supported versions of Rails by changing that peer dependency to be v1 or v2?
Steps to reproduce
Expected behavior
Trix v2 should be able to run on all supported versions of Rails without warning.
Actual behavior
The following warning is issued:
System configuration
Rails version: 7.0.x
Ruby version: N/A
The text was updated successfully, but these errors were encountered: