@astridx This is the correct pull request to update codemirror and tinymce
it also updates +
+ jasmine-core@3.7.1
+ terser@5.6.1
+ codemirror@5.60.0
+ rollup@2.42.1
+ tinymce@5.7.1
+ @fortawesome/fontawesome-free@5.15.3
This PR updates several npm packages - would be good to get them merged asap so that any issues are found sooner rather than later
Of note are the following
**@rollup/plugin-replace**
The build scripts issues the following notice
- 'preventAssignment' currently defaults to false. It is recommended to set this option to `true`, as the next major version will default this option to `true`.
**jquery 3.6**
first release for almost a year.
see https://blog.jquery.com/2021/03/02/jquery-3-6-0-released/
**tinymce 5.7.0**
Can't see any changes that have an impact
see https://www.tiny.cloud/docs/changelog/#version570february102021
+ @rollup/plugin-babel@5.3.0
+ @popperjs/core@2.9.1
+ cropperjs@1.5.11
+ @babel/preset-env@7.13.10
+ @babel/plugin-transform-classes@7.13.0
+ @babel/plugin-transform-runtime@7.13.10
+ @rollup/plugin-node-resolve@11.2.0
+ @babel/core@7.13.10
+ codemirror@5.59.4
+ @rollup/plugin-replace@2.4.1
+ core-js@3.9.1
+ eslint@7.22.0
+ jquery@3.6.0
+ stylelint-scss@3.19.0
+ terser@5.6.0
+ eslint-plugin-vue@7.7.0
+ sass@1.32.8
+ tinymce@5.7.0
+ stylelint@13.12.0
+ vue-focus-lock@1.4.1
+ rollup@2.41.2
added 69 packages from 7 contributors, removed 10 packages, updated 81 packages and audited 1094 packages in 19.966s
The plugin was updated to 4.0.4 but I am still trying to get them to understand semantic versioning :(
The main issues of interest to us are :
1. We no longer need the css override for RTL template width
2. There is now no log message in the console log
This may be the last release of this plugin under the scope of paypal as the University of Illinois are really running it
SkipTo is a replacement for your old classic "Skipnav" link, (so please use it as such)! The SkipTo script creates a drop-down menu consisting of the links to important landmarks and headings on a given web page. The menu makes it easier for keyboard and screen reader users to quickly jump to the desired location by simply choosing it from the list of options.
Benefits
- All users can get an outline of the content on the page.
- Screen reader users can get a higher level navigation menu without having to use the screen reader landmark and header navigation commands which typically include longer lists of lower level headings and less used landmarks.
- Keyboard only users can more efficiently navigate to content on a page.
- Speech recognition users can use the menu to more efficiently navigate to content on a page.
How it works
- The SkipTo menu button is the first tabbable element on the page, and it is configured not to be visible when the page is loaded, the menu button becomes visible when it receives focus.
- Once the keyboard focus is on the menu button, pressing the ENTER or the SPACEBAR key will pull down the list of important landmarks and headings on the page.
- If you decide to reach the menu again, simply press the built-in access key alt+9
This plugin is enabled by default for the admin and can optionally be enabled for the frontend
This version addresses previous concerns about an additional dropdown menu js.
This version addresses previous concerns that the landmarks were not translatable.
To facilitate upgrades from previous beta releases I have added the list of removed files.
Thanks to the help of the people at https://github.com/paypal/skipto for adding some joomla specific changes
Bumps [ini](https://github.com/isaacs/ini) from 1.3.5 to 1.3.7. **This update includes a security fix.**
<details>
<summary>Vulnerabilities fixed</summary>
<p><em>Sourced from <a href="https://github.com/advisories/GHSA-qqgx-2p2h-9c37">The GitHub Security Advisory Database</a>.</em></p>
<blockquote>
<p><strong>Prototype Pollution</strong></p>
<h3>Overview</h3>
<p>The <code>ini</code> npm package before version 1.3.6 has a Prototype Pollution vulnerability.</p>
<p>If an attacker submits a malicious INI file to an application that parses it with <code>ini.parse</code>, they will pollute the prototype on the application. This can be exploited further depending on the context.</p>
<h3>Patches</h3>
<p>This has been patched in 1.3.6</p>
<h3>Steps to reproduce</h3>
<p>payload.ini</p>
<pre><code>[__proto__]
polluted = "polluted"
</code></pre>
<p>poc.js:</p>
<pre><code>var fs = require('fs')
</tr></table> ... (truncated)
<p>Affected versions: < 1.3.6
</code></pre></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="c74c8af35f"><code>c74c8af</code></a> 1.3.7</li>
<li><a href="024b8b55ac"><code>024b8b5</code></a> update deps, add linting</li>
<li><a href="032fbaf5f0"><code>032fbaf</code></a> Use Object.create(null) to avoid default object property hazards</li>
<li><a href="2da90391ef"><code>2da9039</code></a> 1.3.6</li>
<li><a href="cfea636f53"><code>cfea636</code></a> better git push script, before publish instead of after</li>
<li><a href="56d2805e07"><code>56d2805</code></a> do not allow invalid hazardous string as section name</li>
<li>See full diff in <a href="https://github.com/isaacs/ini/compare/v1.3.5...v1.3.7">compare view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for ini since your current version.</p>
</details>
<br />
[](https://dependabot.com/compatibility-score/?dependency-name=ini&package-manager=npm_and_yarn&previous-version=1.3.5&new-version=1.3.7)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
</details>
* Merge core and com_media builds
* Update PHPa build script
* Re-add 'development' mode back into build process
* Source maps for SCSS in dev mode
* Tweak webpack config
* Update CSS Loader to fix deprecation warning
Co-authored-by: George Wilson <georgejameswilson@googlemail.com>
Bumped npm to now be ~5.2.0
CHANGED toolbar_drawer setting to toolbar_mode. toolbar_drawer has been deprecated.
This was a new feature only just added to our implementation of tinymce
Codemirror was locked at a specific version that is now very old.
This PR changes the setting in package.json so that it follows semver
Codemirror has always been very good at following semver so this should be totally safe.
(the update process also updated tinymce at the same time)
* [4.0] Update Tinymce
TinyMce follows semantic versioning. There is no reason that we should be locked down to an old patch release of 5.0.14 when the current is 5.1.5
Some help fixing the javascript in build\build-modules-js\init.es6.js to write the correct version number in the plugin xml would be appreciated
* Fix TinyMCE version in manifest file
* Fix CodeMirror version in manifest file
* Simplify version replacement
* xml
Co-authored-by: SharkyKZ <sharkykz@gmail.com>
