🚨 [security] [ruby] Update action_text-trix 2.1.16 → 2.1.17 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ action_text-trix (indirect, 2.1.16 → 2.1.17) · Repo · Changelog

Security Advisories 🚨

🚨 Trix has a Stored XSS vulnerability through serialized attributes

Impact

The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a data-trix-serialized-attributes attribute bypasses the DOMPurify sanitizer.

An attacker could craft HTML containing a data-trix-serialized-attributes attribute with a malicious payload that, when the content is rendered, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.17 or later.

References

The XSS vulnerability was responsibly reported by Hackerone researcher newbiefromcoma.

Commits

See the full diff on Github. The new version differs by 18 commits:

• v2.1.17
• Merge pull request #1282 from basecamp/h1-3581911-serialized-attr
• Fix stored XSS via data-trix-serialized-attributes sanitizer bypass (H1 #3581911)
• Merge pull request #1239 from Cromian/patch-1
• Merge pull request #1280 from basecamp/fix-bullets-merging-with-prior-element
• Fix bullets merging with prior elements when the first node is removed
• Merge pull request #1275 from basecamp/flavorjones/wtr-failure-messages
• Use source-map to get better test failure messages
• Test runner reporter emits failure details
• Merge pull request #1276 from basecamp/flavorjones/ci-green-20260109
• Update the copyright in trix.js
• Add Ruby 4 to the testing matrix
• Get downstream Rails tests passing again
• ci: enable workflow dispatch via the UI
• Merge pull request #1272 from basecamp/flavorjones/replace-karma-with-wtr
• Add test progress reporting in local dev
• Restore Android browser testing to Sauce Labs configuration
• Replace Karma with `@web/test-runner`

↗️ json (indirect, 2.18.1 → 2.19.1) · Repo · Changelog

Release Notes

2.19.1

What's Changed

• Fix a compiler dependent GC bug introduced in 2.18.0.

Full Changelog: v2.19.0...v2.19.1

2.19.0

What's Changed

• Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
• Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

Full Changelog: v2.18.1...v2.19.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

• Release 2.19.1
• Add missing GC_GUARD in `fbuffer_append_str`
• Release 2.19.0
• fbuffer.h: Use size_t over unsigned long
• Add depth validation to Jruby and TruffleRuby implementations
• Reject negative depth; add overflow guards to prevent hang/crash
• Fix `allow_blank` parsing option to only consider strings.
• Reimplement `to_json` methods in Ruby
• Remove unused load_uint8x16_4 function.
• Use single quotes for allow_invalid_escape doc
• Add `allow_invalid_escape` parsing option
• Remove bignum warnings
• Remove unused method in JSONGeneratorTest
• [DOC] Another link fix
• [DOC] Fix links
• Stop using RB_ALLOCV
• Cleanup function delecarations
• Remove codepaths under !RUBY_INTEGER_UNIFICATION

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)