- π³π΄Norway steinmb
Move to feature req. and they are normally never critical.
- π¬π§United Kingdom JamesOakley Kent, UK
"Never normally critical" may generally be true. But what we're discussing here is a security vulnerability fixed and published upstream by CKEditor (in March 2022), leading the Drupal security team to release a core update to ensure Drupal 9.x and above does not use the vulnerable library. Drupal 7 needs this module to power the editor, and this module does not support the versions of CKEditor that incorporate the security fix.
I'd say allowing site maintainers to update the CKEditor library to one without vulnerabilities is more pressing than "normal".
- πΈπͺSweden twod Sweden
No specific CKEditor 4 version is not bundled with Wysiwyg module and there is nothing preventing anyone from installing 4.18 or any newer version.
The message you see if you do install a newer version really only means we can't guarantee an update does not need a migration path to automatically reconfigure the editor profile to compensate for changes outside the current range. The CKEditor team have been very good at keeping with the promises of semantic versioning and 4.x has been very stable for a long time so I doubt anyone would actually have any issues.Admittedly, I could have done a better job of publishing new versions of Wysiwyg module, but since it's just a warning message I've not considered it critical so far.
I'll see if I can get some time this weekend and pull together some cleanup patches for a new release, including bumping any "supported version" ranges as needed.
Many thanks again to @steinmb, who is plowing through the issue queue, reminding me there are still things to do here, and that it would not be wasted time to keep D7 contrib modules rolling.
- Status changed to Closed: duplicate
about 1 year ago 2:26pm 26 October 2023 - πΊπΈUnited States hargobind Austin, Texas
Now that β¨ Update to CKEditor 4.21.0 Fixed has been committed and released, I'm marking this issue as a duplicate.
I've been running a few sites with patch #2 in production for a long time and never ran into #6.
I added @davidrobinson_pw's comments from #5 to the issue where the fix was committed. Please continue the discussion there if the upgrade with spellchecker is still a problem.