Skip to content

Bump tinymce and @tinymce/tinymce-react#17

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-be3d0683e7
Open

Bump tinymce and @tinymce/tinymce-react#17
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-be3d0683e7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 5, 2026

Copy link
Copy Markdown

Bumps tinymce and @tinymce/tinymce-react. These dependencies needed to be updated together.
Updates tinymce from 6.3.1 to 8.6.0

Changelog

Sourced from tinymce's changelog.

8.6.0 - 2026-06-03

Security

  • Updated DOMPurify version to 3.4.5. #TINY-14430

8.5.1 - 2026-05-19

Security

  • Fixed media plugin data-mce-object injection leading to stored XSS. #TINY-14357
  • Fixed stored XSS vulnerability through mce:protected comments. #TINY-14353
  • Fixed stored XSS vulnerability through data-mce- prefixed src, href, style attributes. #TINY-14333

8.5.0 - 2026-04-29

Added

  • New content_language option to set the lang attribute on the iframe's html element or the inline editor's target element. #TINY-11214

Improved

  • Improved visual styling of inline diff highlights in Suggested Edits and TinyMCE AI plugin. #TINY-13958

Fixed

  • Script and style elements would incorrectly be removed by DomPurify when considered valid in the schema. #TINY-9655
  • Iframe elements with children would incorrectly be removed by DomPurify. #TINY-9655
  • Certain combinations of divs inside of lists would cause issues turning off lists. #TINY-14070
  • Certain selections would delete the editor body, causing issues. #TINY-14149
  • URIs with non-Latin1 characters were returning an error. #TINY-13938
  • Alert and confirm dialogs were not announced properly by some screen readers. #TINY-13812

8.4.0 - 2026-03-31

Added

  • New view_show option to display a specified view on initialization. #TINY-11967
  • New errorHandler option for dropzone dialog components. #TINY-13420
  • The noneditable feature can now be disabled with the new allow_noneditable option. #TINY-10121
  • Editor option content_id for uniquely identifying the edited document. #TINY-13379
  • New table_default_header_rows and table_default_header_cols options to set the default header size for new tables #TINY-13391

Improved

  • The file upload feature of link and image dialogs now provide feedback when an unsupported file type is selected. #TINY-13420
  • Directionality buttons now only appear active when directionality is set on the selected block. #TINY-13337
  • Directionality buttons now always toggle the directionality attribute on selected blocks. #TINY-13337

Changed

  • The border-color style with multiple rgb colors would be compressed into border incorrectly #TINY-13393
  • Element Path now uses the ARIA-role "group" with an aria-label #TINY-13338

Fixed

  • Now link dialog allows uploading empty files. #TINY-13421
  • The link dialog now allows uploading empty files. #TINY-13421
  • Bundled content CSS is now loaded into preview iframes. #TINY-13190

... (truncated)

Commits
  • 855e368 TINY-14412: Stabilise changelog for 8.6 release
  • 15fb98d TINY-14412: Update version for 8.6.0 release
  • 9cd93d9 TINY-14430: Updated dompurify to 3.4.5 (#11120)
  • cdeb5c1 TINY-14224: Bump version for next patch release
  • 03573dd TINY-14224: Fix failing test for 8.5.1 patch release
  • e0d0804 TINY-14224: Lint fix for 8.5.1 patch release
  • c46e8ee TINY-14224: Add changelog for 8.5.1 patch release
  • 8da3e85 TINY-14357: Fixed data-mce-object injection (#18)
  • 3507b58 TINY-14353: Fixed stored XSS vulnerability through mce:protected comments (...
  • 19f56a7 TINY-14333: Fixed stored XSS vulnerability through data-mce- prefixed src...
  • Additional commits viewable in compare view

Updates @tinymce/tinymce-react from 3.14.0 to 6.3.0

Changelog

Sourced from @​tinymce/tinymce-react's changelog.

6.3.0 - 2025-07-31

Changed

  • Set the default cloudChannel to 8. #INT-3350
  • Updated peer dependency to support tinymce 8. #INT-3350

6.2.1 - 2025-06-03

Fixed

  • Project build failure caused by a missing @tinymce/miniature dependency. #INT-3347

6.2.0 - 2025-05-29

Changed

  • The disabled property now toggles the disabled option. #TINY-11906

Added

  • Added readonly property that can be used to toggle the readonly mode. #TINY-11906

6.1.0 - 2025-03-31

Added

  • Support for react version ^19.0.0 by updating the react and react-dom in the peerDependencies to ^19.0.0

Fixed

  • The onEditorChange callback was called three times when content was inserted with insertContent editor API. #INT-3226

6.0.0 - 2025-02-21

Fixed

  • Updated dependencies. #INT-3324

Changed

  • Moved tinymce dependency to peerDependencies, as well as making it optional. #INT-3324

5.1.0 - 2024-06-11

Added

5.0.0 - 2024-03-27

Added

  • Added licenseKey property that overrides the TinyMCE license_key init property. #INT-3291
  • Added events onInput, onCompositionEnd, onCompositionStart & onCompositionUpdate. #INT-3291
  • Added a JSDoc link to the TinyMCE 7 React Technical Reference docs page. #INT-3291

Improved

  • Improved cloudChannel type. #INT-3291
  • Updated to Storybook v8 and it now uses react-vite as a bundler/builder instead of webpack. #INT-3291

... (truncated)

Commits
  • 1ca4804 INT-3357: Prepare for release (#597)
  • 6d409aa INT-3350: Update to work with TinyMCE 8 (#596)
  • f5a9520 Update version for next patch release
  • 53b0be1 INT-3345: Prepare for a hotfix release (#594)
  • 6a788a0 INT-3347: Fix build failure due to @​tinymce/miniature was missing in dependen...
  • 3b916c6 Update version for next patch release
  • b4a0ead INT-3345: Prepare for release (#589)
  • 8ceeac1 TINY-11906: Enable support for readonly mode (#588)
  • 4ce80bb Update version for next patch release
  • 574ec1d Prepare for release 6.1 (#586)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [tinymce](https://github.com/tinymce/tinymce/tree/HEAD/modules/tinymce) and [@tinymce/tinymce-react](https://github.com/tinymce/tinymce-react). These dependencies needed to be updated together.

Updates `tinymce` from 6.3.1 to 8.6.0
- [Changelog](https://github.com/tinymce/tinymce/blob/main/modules/tinymce/CHANGELOG.md)
- [Commits](https://github.com/tinymce/tinymce/commits/8.6.0/modules/tinymce)

Updates `@tinymce/tinymce-react` from 3.14.0 to 6.3.0
- [Changelog](https://github.com/tinymce/tinymce-react/blob/main/CHANGELOG.md)
- [Commits](tinymce/tinymce-react@3.14.0...6.3.0)

---
updated-dependencies:
- dependency-name: tinymce
  dependency-version: 8.6.0
  dependency-type: direct:production
- dependency-name: "@tinymce/tinymce-react"
  dependency-version: 6.3.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants