⬆️ Update dependency @tiptap/extension-link to v2.10.4 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@tiptap/extension-link (source)	2.1.12 → 2.10.4

---

@​tiptap/extension-link vulnerable to Cross-site Scripting (XSS)

CVE-2025-14284 / GHSA-vhrc-hgrq-x75r

More information

Details

Versions of the package @​tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction.

Severity

• CVSS Score: 2.0 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-14284
• https://github.com/ueberdosis/tiptap/commit/1c2fefe3d61ab1c8fbaa6d6b597251e1b6d9aaed
• https://gist.github.com/th4s1s/3d1b6cd3e7257b14947242f712ec6e1f
• https://github.com/ueberdosis/tiptap/releases/tag/v2.10.4
• https://security.snyk.io/vuln/SNYK-JS-TIPTAPEXTENSIONLINK-14222197
• https://github.com/advisories/GHSA-vhrc-hgrq-x75r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

ueberdosis/tiptap (@​tiptap/extension-link)

v2.10.4

Compare Source

What's Changed

• Fixed Link extension's commands not respecting XSS prevention via unallowed protocols by @​bdbch in #​5945
• Publish a new stable version by @​github-actions in #​5947

Full Changelog: ueberdosis/tiptap@v2.10.3...v2.10.4

v2.10.3

Compare Source

What's Changed

• fix(link): change type HTMLLinkElement to HTMLAnchorElement (#​5858)
• fix(character-count): setting content larger than limit should truncate #​5851 (#​5862)
• fix(list-keymap): prevent selection deletions at the end of list items from joining lists (#​5863)
• fix(code): more robust regex for text enclosed in backticks #​4467 (#​4468)
• fix(core): update types to match prosemirror-view #​5867
• fix(react): useIsomorphicLayoutEffect instead to support SSR #​5872

Full Changelog: ueberdosis/tiptap@v2.10.2...v2.10.3

v2.10.2

Compare Source

What's Changed

• fix: revert type changes introduced with 2.10 #​5859 by @​nperez0111 in #​5860
• Publish a new stable version by @​github-actions in #​5861

Full Changelog: ueberdosis/tiptap@v2.10.1...v2.10.2

v2.10.1

Compare Source

What's Changed

• fix(core): update the typings to be that options and storage are partials on an extended config #​5852 by @​nperez0111 in #​5854
• Publish a new stable version by @​github-actions in #​5855

Full Changelog: ueberdosis/tiptap@v2.10.0...v2.10.1

v2.10.0

Compare Source

What's Changed

• feat(core): allow nodes and fragments to be inserted into the editor using insertContentAt command #​5764 by @​nperez0111 in #​5766
• fix: properly transform paste/input rules by @​nperez0111 in #​5545
• build(deps): bump actions/upload-artifact from 4.4.0 to 4.4.3 by @​dependabot in #​5727
• build(deps): bump actions/cache from 4.1.0 to 4.1.1 by @​dependabot in #​5728
• docs: update link in input and paste rules docstrings by @​HigherOrderLogic in #​5771
• fix: add zero-width space to resolve cursor selection issue by @​guarmo in #​5774
• build(deps): bump actions/cache from 4.1.1 to 4.1.2 by @​dependabot in #​5776
• fix(core): update the typing of addOptions, addStorage to have an optional parent #​5768 by @​nperez0111 in #​5770
• fix: preserve attributes of set node by @​guarmo in #​5781
• fix(table): set min-width to by @​Ragnar-Oock in #​5464
• docs: add drag handle demo for React by @​Hector-Chong in #​5783
• improve updateAttributes by @​silenius in #​5738
• Add element to shouldShow in BubbleMenuPlugin by @​alanpoulain in #​5790
• feat: accessibility improvements by @​nperez0111 in #​5758
• fix(react): allow react 19 by @​nperez0111 in #​5807
• Update package.json by @​solvsoft in #​5800
• refactor: adjust validate and add shouldAutoLink to improve URL handling by @​guarmo in #​5808
• fix(vue-3): Transition with editor destruction by @​Ericlm in #​5772
• List Keymap: Fix backspace behavior when selection is not collapsed by @​juraj98 in #​5810
• fix(link): add backwards compat by deprecating validate and using isAllowedUri instead by @​nperez0111 in #​5812
• feat: add once to EventEmitters by @​nperez0111 in #​5818
• Add Node linebreakReplacement support and enable on hardBreak nodes by @​glenn-allen in #​5821
• build(deps): bump cypress-io/github-action from 6.7.6 to 6.7.7 by @​dependabot in #​5823
• fix(react): useLayoutEffect instead of useEffect to cut down on reflow by @​nperez0111 in #​5825
• fix(bubble-menu): avoid bluring if event is on the editor #​3471 by @​nperez0111 in #​5835
• Publish a new pre-release version by @​github-actions in #​5769
• Font-family extension: Prevent removal of quotes in parseHTML by @​SanderLeenders in #​5828
• added pre-checkout hook that automatically should enter pre modes by @​bdbch in #​5837
• fix(core): getMarkRange match only the current mark of a type #​3872 by @​nperez0111 in #​5826
• Prevent null pointer exception in BubbleMenu by @​felixgabler in #​5842
• fix(react): improve React 19 compatibility by using JSX transform instead #​5846 by @​nperez0111 in #​5848
• Publish a new stable version by @​github-actions in #​5843

New Contributors

• @​HigherOrderLogic made their first contribution in #​5771
• @​Ragnar-Oock made their first contribution in #​5464
• @​Hector-Chong made their first contribution in #​5783
• @​alanpoulain made their first contribution in #​5790
• @​solvsoft made their first contribution in #​5800
• @​juraj98 made their first contribution in #​5810
• @​glenn-allen made their first contribution in #​5821
• @​felixgabler made their first contribution in #​5842

Full Changelog: ueberdosis/tiptap@v2.9.1...v2.10.0

v2.9.1

Compare Source

What's Changed

• fix(lists): bullet-list and ordered-list no longer depend on list-item or text-style extensions #​5707 by @​nperez0111 in #​5756
• Publish a new pre-release version by @​github-actions in #​5757

Full Changelog: ueberdosis/tiptap@v2.9.0...v2.9.1

v2.9.0

Compare Source

What's Changed

• docs: update the typings for DecorationWithType to be more accurate by @​nperez0111 in #​5692
• fix: add extension-text-style as a dep of @​tiptap/starter-kit #​5691 by @​nperez0111 in #​5693
• Fixes resizeable columns when the first row has a colspan by @​jaapvanhoek in #​4955
• build(deps): bump actions/cache from 4.0.2 to 4.1.0 by @​dependabot in #​5704
• Fix NodePos logic for child position calculation and attribute changes by @​bdbch in #​5716
• Fix getMarkRange not finding marks when at the start of a mark by @​bdbch in #​5717
• Fix editor destruction at the end of Vue transition by @​Ericlm in #​5648
• Improve accessibility on the editor DOM element by @​bdbch in #​5734
• Add clear mark parse rules to bold & italic marks by @​mgreystone in #​5705
• Update mention extension's priority by @​kart-c in #​5687
• Update styles.scss by @​tk-425 in #​5732
• fix(core): respect the editor's parseOptions by @​nperez0111 in #​5742
• fix(react): preserve editable option across renders by @​guarmo in #​5745
• feat: in a collab setting, disable transactions that are trying to sync invalid content by @​nperez0111 in #​5207
• Publish a new stable version by @​github-actions in #​5751

New Contributors

• @​jaapvanhoek made their first contribution in #​4955
• @​Ericlm made their first contribution in #​5648
• @​tk-425 made their first contribution in #​5732
• @​guarmo made their first contribution in #​5745

Full Changelog: ueberdosis/tiptap@v2.8.0...v2.9.0

v2.8.0

Compare Source

#​5669

What's Changed

• build: type definitions are only emitted for a single package's code by @​nperez0111 in #​5665
• fix(core): onDrop and onPaste only registered when defined #​5681 by @​nperez0111 in #​5684
• feat(CharacterCount): Add counter function to CharacterCount extension. by @​ho991217 in #​5674
• Publish a new pre-release version by @​github-actions in #​5669

New Contributors

• @​ho991217 made their first contribution in #​5674

Full Changelog: ueberdosis/tiptap@v2.7.4...v2.8.0

v2.7.4

Compare Source

#​5667

What's Changed

• Add editorContainerProps to EditorProvider by @​kart-c in #​5661
• fix(core): dereference editor from DOM element on destroy #​5654 by @​nperez0111 in #​5666
• Publish a new pre-release version by @​github-actions in #​5667

New Contributors

• @​kart-c made their first contribution in #​5661

Full Changelog: ueberdosis/tiptap@v2.7.3...v2.7.4

v2.7.3

Compare Source

#​5652 (comment)

What's Changed

• fix: update zeed-dom version for style support #​5352 by @​nperez0111 in #​5640
• Add Poggio to sponsors list by @​ConnorDoyle in #​5645
• build(deps-dev): bump rollup from 4.20.0 to 4.22.4 by @​dependabot in #​5647
• fix(react): Fix incorrect extensionAttributes value by @​YaoKaiLun in #​5588
• build(deps-dev): bump vite from 5.4.1 to 5.4.6 by @​dependabot in #​5629
• refactor: make NodeViewProps an interface again by @​nperez0111 in #​5658
• Publish a new pre-release version by @​github-actions in #​5652

New Contributors

• @​ConnorDoyle made their first contribution in #​5645

Full Changelog: ueberdosis/tiptap@v2.7.2...v2.7.3

v2.7.2

Compare Source

#​5631

What's Changed

• fix(vue-3): late-registering plugins by @​svenadlung in #​5616
• Publish a new pre-release version by @​github-actions in #​5631

Full Changelog: ueberdosis/tiptap@v2.7.1...v2.7.2

v2.7.1

Compare Source

#​5627

What's Changed

• Fix Slice import in DropPlugin by @​gerardva in #​5626
• build(deps): bump micromatch and lint-staged by @​dependabot in #​5628
• build(deps-dev): bump webpack from 5.93.0 to 5.94.0 by @​dependabot in #​5572
• build(deps-dev): bump svelte from 4.2.18 to 4.2.19 by @​dependabot in #​5571
• build(deps): bump cypress-io/github-action from 6.7.2 to 6.7.6 by @​dependabot in #​5603
• build(deps): bump slackapi/slack-github-action from 1.26.0 to 1.27.0 by @​dependabot in #​5582
• build(deps): bump actions/upload-artifact from 4.3.6 to 4.4.0 by @​dependabot in #​5581
• Publish a new pre-release version by @​github-actions in #​5627

New Contributors

• @​gerardva made their first contribution in #​5626

Full Changelog: ueberdosis/tiptap@v2.7.0...v2.7.1

v2.7.0

Compare Source

#​5511

What's Changed

• fix: update pm versions by @​nperez0111 in #​5488
• chore: rebuild pjson by @​nperez0111 in #​5513
• refactor(react): default to using deep equal comparisons by @​nperez0111 in #​5512
• Updating ReactNodeViewRenderer element's attributes when the node updates by @​YaoKaiLun in #​5494
• refactor(core): update typings for NodeViews to be accurate to implementation #​5483 by @​nperez0111 in #​5526
• Fix for #​5490 - Adds preventClearDocument meta + makes it easier to disable specific core plugins. by @​AlansCodeLog in #​5514
• Prevent onBlur being trigged when task item is toggled by @​jarlef in #​5520
• fix(suggestion): sometimes a suggestion would not show up (#​4380) by @​nperez0111 in #​5531
• fix: preserve attributes of toggled node #​3644 by @​nperez0111 in #​5489
• Use parent window for cross-frame instantiation by @​bdbch in #​5534
• feature(core): add onPaste and onDrop events to editor by @​bdbch in #​4843
• Core: Fix styles being duplicated on mergeAttributes function by @​sifat009 in #​4610
• fix: Broken text replacement feature (macOS-only) by @​rfgamaral in #​5261
• feat: Add data attribute on ReactNodeView mounting div to assist styling by @​WilliamIPark in #​5539
• fix(suggestion): dropdown can't be closed with Esc (#​4380) by @​rfgamaral in #​5544
• fix(extension-code-block-lowlight): support for lowlight v3 aliases by @​Ilya-Iskra in #​5551

New Contributors

• @​YaoKaiLun made their first contribution in #​5494
• @​AlansCodeLog made their first contribution in #​5514
• @​jarlef made their first contribution in #​5520
• @​sifat009 made their first contribution in #​4610
• @​Ilya-Iskra made their first contribution in #​5551

Full Changelog: ueberdosis/tiptap@v2.6.6...v2.7.0

v2.6.6

Compare Source

#​5537

What's Changed

• fix(core): check schema's nesting rules on contentCheck (#​5500) by @​lepult in #​5535
• fix(suggestion): dropdown can now be closed with Esc (#​4380) by @​rfgamaral in #​5544
• Publish a new stable version by @​github-actions in #​5537

New Contributors

• @​lepult made their first contribution in #​5535

Full Changelog: ueberdosis/tiptap@v2.6.5...v2.6.6

v2.6.5

Compare Source

#​5532

What's Changed

• Publish a new stable version by @​github-actions in #​5532
• fix(suggestion): sometimes a suggestion would not show up (#​4380) (#​5531)

Full Changelog: ueberdosis/tiptap@v2.6.4...v2.6.5

v2.6.4

Compare Source

#​5497

What's Changed

• fix(react): always attempt to cleanup editor instances, starting from creation #​5492 by @​nperez0111 in #​5496
• fix(link): respect custom protocols #​5468 by @​nperez0111 in #​5470
• Publish a new pre-release version by @​github-actions in #​5497

Full Changelog: ueberdosis/tiptap@v2.6.3...v2.6.4

v2.6.3

Compare Source

#​5484

What's Changed

• Make img.ProseMirror-separator 0px by @​tjenkinson in #​4646
• fix: Use undefined for type attribute default by @​mhemmings in #​5491
• Publish a new pre-release version by @​github-actions in #​5484

New Contributors

• @​tjenkinson made their first contribution in #​4646
• @​mhemmings made their first contribution in #​5491

Full Changelog: ueberdosis/tiptap@v2.6.2...v2.6.3

v2.6.2

Compare Source

What's Changed

• Addresses a bug with react in Next.js or when immediatelyRender: false is specified in useEditor
• Publish a new pre-release version by @​github-actions in #​5482

Full Changelog: ueberdosis/tiptap@v2.6.1...v2.6.2

v2.6.1

Compare Source

#​5480

What's Changed

• fix(react): update typescript types to be backwards-compatible by @​nperez0111 in #​5479
• Publish a new pre-release version by @​github-actions in #​5480

Full Changelog: ueberdosis/tiptap@v2.6.0...v2.6.1

v2.6.0

Compare Source

#​5458

What's Changed

• fix(vue-3): custom node views when using class components by @​wagich in #​5410
• fix: bump priority of text-style extension fixes #​4742 by @​nperez0111 in #​5457
• fix(react): update the types to reflect true options #​5459 by @​nperez0111 in #​5460
• feat: add content to pasted nodes by @​daibhin in #​4212
• fix(react): resolves React NodeView performance issues by @​nperez0111 in #​5273
• feat: Support type attribute for ordered lists by @​bastianjoel in #​5344
• fix(react): event handlers called once per event type #​5463 by @​nperez0111 in #​5465
• docs: update README.md by @​eltociear in #​5331
• fix(link): Do not convert link href to number or boolean by @​yurtsiv in #​5391
• Update splitListItem.ts to support overrideAttrs by @​Nantris in #​4253
• build(deps): bump actions/upload-artifact from 4.3.5 to 4.3.6 by @​dependabot in #​5471
• Publish a new pre-release version by @​github-actions in #​5458

New Contributors

• @​wagich made their first contribution in #​5410
• @​daibhin made their first contribution in #​4212
• @​bastianjoel made their first contribution in #​5344
• @​eltociear made their first contribution in #​5331
• @​yurtsiv made their first contribution in #​5391

Full Changelog: ueberdosis/tiptap@v2.5.9...v2.6.0

v2.5.9

Compare Source

What's Changed

• fix: findDuplicates - use Array.from when converting Set by @​roblafeve in #​5428
• fix: allow task items to be parsed when only having <li data-checked instead of only when <li data-checked="true" (re-fix of #​5366) by @​baseballyama in #​5426
• chore: Use proper types for configure methods (Extension/Mark/Node) by @​rfgamaral in #​5421
• fix(core): resolve isNodeEmpty criteria #​5415 by @​nperez0111 in #​5419
• fix(react): optimize useEditor and useEditorState to reduce number of instances created while being performant #​5432 by @​nperez0111 in #​5445
• fix(placeholder): add back-compat to deprecated placeholder functionality by @​nperez0111 in #​5409
• build(deps): bump cypress-io/github-action from 6.7.1 to 6.7.2 by @​dependabot in #​5443
• build(deps): bump actions/upload-artifact from 4.3.3 to 4.3.5 by @​dependabot in #​5444
• fix(core): use correct position for getMarksBetween by @​nperez0111 in #​5412
• feat(core): add ignoreWhitespace option to isNodeEmpty by @​nperez0111 in #​5446
• fix(collaboration): update y-prosemirror, respect onFirstRender by @​nperez0111 in #​5411
• fix: respect defaultLanguage on code-block-lowlight add option to code-block by @​nperez0111 in #​5406
• fix(extension-code-block-lowlight): use lowlight v3 and update demo by @​nperez0111 in #​5374
• Publish a new pre-release version by @​github-actions in #​5451

New Contributors

• @​roblafeve made their first contribution in #​5428

Full Changelog: ueberdosis/tiptap@v2.5.8...v2.5.9

v2.5.8

Compare Source

Patch Changes

• Updated dependencies [a08bf85]
  • @​tiptap/core@​2.5.8
  • @​tiptap/pm@​2.5.8

v2.5.7

Compare Source

Patch Changes

• Updated dependencies [b012471]
• Updated dependencies [cc3497e]
  • @​tiptap/core@​2.5.7
  • @​tiptap/pm@​2.5.7

v2.5.6

Compare Source

Patch Changes

• c0e5398: Links were opening twive when the editor was not editable and openOnclick was true, now openOnClick setting will check if it is editable before trying to open programmatically resolves #​4877
• Updated dependencies [b5c1b32]
• Updated dependencies [618bca9]
• Updated dependencies [35682d1]
• Updated dependencies [2104f0f]
  • @​tiptap/pm@​2.5.6
  • @​tiptap/core@​2.5.6

v2.5.5

Compare Source

Patch Changes

• Updated dependencies [4cca382]
• Updated dependencies [3b67e8a]
  • @​tiptap/core@​2.5.5
  • @​tiptap/pm@​2.5.5

v2.5.4

Compare Source

Patch Changes

• dd7f9ac: There was an issue with the cjs bundling of packages and default exports, now we resolve default exports in legacy compatible way
• Updated dependencies [dd7f9ac]
  • @​tiptap/core@​2.5.4
  • @​tiptap/pm@​2.5.4

v2.5.3

Compare Source

Patch Changes

• a473826: Make openOnClick backwards compatible with previous whenNotEditable value, this is now the default and is deprecated
  • @​tiptap/core@​2.5.3
  • @​tiptap/pm@​2.5.3

v2.5.2

Compare Source

Patch Changes

• Updated dependencies [07f4c03]
  • @​tiptap/core@​2.5.2
  • @​tiptap/pm@​2.5.2

v2.5.1

Compare Source

Patch Changes

• @​tiptap/core@​2.5.1
• @​tiptap/pm@​2.5.1

v2.5.0

Compare Source

Patch Changes

• Updated dependencies [fb45149]
• Updated dependencies [fb45149]
• Updated dependencies [fb45149]
• Updated dependencies [fb45149]
  • @​tiptap/core@​2.5.0
  • @​tiptap/pm@​2.5.0

v2.4.0

Compare Source

Features

• added jsdocs (#​4356) (b941eea)

2.3.2 (2024-05-08)

Note: Version bump only for package @​tiptap/extension-link

2.3.1 (2024-04-30)

Note: Version bump only for package @​tiptap/extension-link

v2.3.2

Compare Source

Note: Version bump only for package @​tiptap/extension-link

v2.3.1

Compare Source

Note: Version bump only for package @​tiptap/extension-link

v2.3.0

Compare Source

Note: Version bump only for package @​tiptap/extension-link

2.2.6 (2024-04-06)

Note: Version bump only for package @​tiptap/extension-link

2.2.5 (2024-04-05)

Bug Fixes

• extension-link: Avoid auto-linking partial text for invalid TLDs (#​4865) (4474d05)

2.2.4 (2024-02-23)

Note: Version bump only for package @​tiptap/extension-link

2.2.3 (2024-02-15)

Note: Version bump only for package @​tiptap/extension-link

2.2.2 (2024-02-07)

Note: Version bump only for package @​tiptap/extension-link

2.2.1 (2024-01-31)

Note: Version bump only for package @​tiptap/extension-link

v2.2.6

Compare Source

Note: Version bump only for package @​tiptap/extension-link

v2.2.5

Compare Source

Bug Fixes

• extension-link: Avoid auto-linking partial text for invalid TLDs (#​4865) (4474d05)

v2.2.4

Compare Source

Note: Version bump only for package @​tiptap/extension-link

v2.2.3

Compare Source

Note: Version bump only for package @​tiptap/extension-link

v2.2.2

Compare Source

Note: Version bump only for package @​tiptap/extension-link

v2.2.1

Compare Source

Note: Version bump only for package @​tiptap/extension-link

v2.2.0

Compare Source

v2.1.16

Compare Source

Note: Version bump only for package [@​tiptap/extension-link](https://redirect.github.com/tiptap/extension

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	17%	5636 / 33141
🔵	Statements	17%	5636 / 33141
🔵	Functions	6.48%	34 / 524
🔵	Branches	37.08%	135 / 364

File Coverage

No changed files found.

Generated in workflow #7093 for commit 0059789 by the Vitest Coverage Report Action