[ONGOING] Keep CKEditor 5 up to date (preferably with each minor release, unless it is a security-related update)

[quicksketch]

Continuing from https://github.com/backdrop/backdrop-issues/issues/6481, this issue is to track updating to the latest CKEditor 5 version.

Originally filed by @klonos:

It would be nice to be updating to the latest release regularly (I am proposing with each minor release - we could do it in the 2 weeks between feature freeze and final release). ...if we don't keep up and we are several versions behind, then if a security release comes out we risk rushing to release the secure version, which might be introducing breaking changes, and we won't have enough time to test/adjust/fix things.

We are currently shipping core with v5, build 42.0.2.

https://ckeditor.com/blog/categories/releases highlights the main improvements with new releases:

• CKEditor v43.0.0 - All-new Merge Fields and Export to Word v2
• CKEditor v43.1.0 release notes
• CKEditor v43.1.1 related SA
• CKEditor v43.2.0 release notes

More versions will probably be released before we do the next update.

More resources related to releases

• https://ckeditor.com/docs/ckeditor5/latest/updating/guides/changelog.html has more detailed changelogs.
• https://github.com/ckeditor/ckeditor5/releases lists bug fix releases.

Core functionality checklist

• [ ] Link dialog and balloon toolbar
• [ ] Image dialog (open it, upload or select image and insert, replace image)
• [ ] Image caption toggle
• [ ] Image alignment
• [ ] Image drag-and-drop upload
• [ ] Styles configuration and usage in content
• [ ] Try different editor toolbar setups (less toolbar buttons, more toolbar buttons, different button combinations)

[indigoxela]

@quicksketch should I create an individual issue per version, or is it OK to attach PRs here (until we close it as confusing). :wink: We should put our checklist somewhere, so maybe an issue per version makes sense?

Currently version 43.1.0 is the latest. Big relief: they didn't touch the DLL (build) concept, yet, so our approach still works. Even without changing anything besides the library. https://github.com/backdrop/backdrop/pull/4875

[quicksketch]

Let's use this issue until we manage to merge a CKEditor version into core, then we'll relabel this issue "Update CKEditor to version xx.yy.zz". Then we'll make another issue to track updating to the next latest version again.

Even without changing anything besides the library.

That's great! If it's truly compatible, we might be able to put it into a minor release? i.e. 1.29.1

[indigoxela]

If it's truly compatible, we might be able to put it into a minor release? i.e. 1.29.1

I belief, @klonos suggested to update CKE in minor releases - unless security related, which doesn't seem to apply to v43.1.0 or v43.0.0.

We already win, if we're not falling behind too far, and if we have tested in-between versions (merged or not), so a security update doesn't force us to rush in huge (unknown) changes. There are usually hundreds of commits per CKE minor release. Impossible for us to determine, which ones are relevant for us.

[indigoxela]

Time to update CKEditor again. Here's now 43.2.0 and it does seem to work just fine - needs more thorough testing, though, as usual.

There has been a security advisory for v43.1.1 (the previous version), but note that this is a "theoretical and unexploitable" issue, and furthermore is irrelevant for Backdrop, as we're not using the block toolbar, anyway. I belief, we can safely ignore that.

[quicksketch]

I checked and we do actually have the BlockToolbar plugin bundled into our ckeditor5-dll.js file, however it's not enabled out of the box and it's not even possible to enable via the UI or through config, you would have had to enable it via custom code. Unless it's possible to exploit, an isolated bug that cannot be reached does not warrant a security release (or even an security announcement). It would be good to update none-the-less. As a general statement (not specific to @indigoxela), if it is found that it is possible to exploit please write an email to security@backdropcms.org, see reporting a security vulnerability documentation.

[indigoxela]

Rebased, a fresh sandbox is ready for testing. :wink: