Update to ckeditor 45.2.2 (once available)

https://github.com/ckeditor/ckeditor5/releases/tag/v45.2.2 is out.

The ckeditor team has confirmed that the vulnerability was introduced after 44.0.0 was tagged, so we don't need to do anything for 11.1 and 10.4.

Put up MR 13140.

Looks like ckeditor/essentials didn't get updated, which I'm guessing is because of this in core/scripts/js/assets/ckeditor5Files.js:

const ckeditor5PluginMapping = {
  'block-quote': 'blockquote',
  essentials: 'internal',
  'basic-styles': 'basic',
};

...

let library = pluginName.replace(/-./g, (match) => match[1].toUpperCase());
      // Special case for Drupal implementation.
      if (ckeditor5PluginMapping.hasOwnProperty(pluginName)) {
        library = ckeditor5PluginMapping[pluginName];
      }
      if (library === 'ckeditor5') {
        folder = 'ckeditor5/ckeditor5-dll';
      } else {
        library = `ckeditor5.${library}`;
      }
      fileList.push({
        pack,
        library,
        folder,
        files: buildFiles.map((absolutePath) => ({
          from: absolutePath.replace(`${ckeditor5package}/`, ''),
          to: absolutePath.replace(`${ckeditor5package}/build/`, ''),
        })),
      });

Looking at why essentials has special handling.

OK, looks like in https://git.drupalcode.org/project/drupal/-/commit/aa2f8c3 the library was renamed from ckeditor/internal to ckeditor/essentials, and the ckeditor5Files.js script was not updated to match. Pushed a commit to the MR to address.

Tests are green.

Opened MRs for 10.5.x, 10.6.x, and 11.2.x. Investigating 11.2.x MR test failure that isn't failing on 11.x.

The Needs Review Queue Bot → tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.

OK, bumping up ScriptBytes to 171060 fixes AssetAggregationAcrossPagesTest::testFrontAndRecipesPagesAuthenticated test, but I'm not sure why the aggregated script size would increase on the test pages, since CKEditor isn't on any of those pages AFAICT.

That is odd but I think we should go ahead here and open a new issue just to double check it's unrelated.

Everything else looks straightforwards so moving to RTBC.

OK, just checked and looks like the latest 11.2.x daily failed on the same test: https://git.drupalcode.org/project/drupal/-/jobs/6402181.

nod_ → closed merge request !13140

nod_ → closed merge request !13144

nod_ → closed merge request !13143

nod_ → closed merge request !13145

Committed 9f46196 and pushed to 11.x. Thanks!
Committed 90fc517 and pushed to 11.2.x. Thanks!
Committed 6a2c9c3 and pushed to 10.6.x. Thanks!
Committed 5cd6446 and pushed to 10.5.x. Thanks!

Now that this issue is closed, please review the contribution record.

As a contributor, attribute any organization helped you, or if you volunteered your own time.

Maintainers, please credit people who helped resolve this issue.