Type: Feature Request
Status: Under Review
Affects Version/s: None
Fix Version/s: None
In heavy customized portal it is difficult to migrate from one GA to another as lot of stuff needs to be verified. Various penetration tools usually concentrate on easy targets like JS library versions, not LR specific issues so the former have a higher priority for us.
The notable JS library in LR is CKEditor. If new vulnerability is found, currently it is not very easy to apply the fix into the portal as the library is customized by LR and released in own pace.
If the new liferay-ckeditor is released, it is still problematic to build a module compatible with older GA version.
One recent example:
When updating dependencies in frontend-editor\frontend-editor-ckeditor-web (for base tag 7.3.4-ga5):
- updating package.json from "liferay-ckeditor": "4.14.1-liferay.6" to "liferay-ckeditor": "4.16.0-liferay.1"
- reverting the bundle version in bnd.bnd from Bundle-Version: 4.0.15 to Bundle-Version: 4.0.14 (to keep the actual version used in the portal)
- building the module using: blade gw deploy
- deploying the module
we can achieve updating the CK editor version to 4.16.0 DEV, rev. 6a53f931f.
However, there are incompatibilities preventing us using this version in production:
Uncaught TypeError: b.stateShifter is not a function
TypeError: Cannot read property 'add' of undefined
Not sure what exactly is broken here, but in general, to improve the security, it would be nice to have this updating process as smooth as possible.