Update Supported Rails Versions for Trix v2 for CVE-2024-34341

[eric-hemasystems]

Trix recently issued CVE-2024-34341 but they have indicated they are not interested in back-porting it to v1.

Supported versions of Rails prior to the 7.1.x series are currently tied to Trix v1. This means if someone follow those version restrictions on supported versions of Rails prior to 7.1 have an unpatched CVE.

ActionText only has it as a peer dependency so you can update to v2 and just ignore the warning. But I'm unsure of unintended consequences of that due to the warning. On the Trix project, they indicate ActionText is not using anything that would be incompatible with v2 and it only moved to v2 because of the change in language. My own personal testing also confirmed no problems upgrading to v2.

I was wondering if it was possible to update all supported versions of Rails allow Trix v2 to better indicate running Trix v2 will work on all supported versions of Rails by changing that peer dependency to be v1 or v2?

Steps to reproduce

yarn up trix

Expected behavior

Trix v2 should be able to run on all supported versions of Rails without warning.

Actual behavior

The following warning is issued:

warning " > @rails/actiontext@7.0.8-1" has incorrect peer dependency "trix@^1.3.1".

System configuration

Rails version: 7.0.x

Ruby version: N/A

[jeremy]

Thanks for raising, @eric-hemasystems. We'll backport to Trix 1.3.x in accordance with Rails' maintenance policy.

/cc @rafaelfranca @afcapel

[afcapel]

I've just released Trix v1.3.2 with the backported patch.

[rafaelfranca]

Rails versions also where released https://rubyonrails.org/2024/5/17/Rails-Versions-7-0-8-2-and-7-1-3-3-have-been-released

[eric-hemasystems]

I haven't look into this myself but looks like there is a report of an issue with that release.