High severity8.3NVD Advisory· Published Sep 20, 2024· Updated Apr 15, 2026
CVE-2024-47061
CVE-2024-47061
Description
Plate is a javascript toolkit that makes it easier for you to develop with Slate, a popular framework for building text editors. One longstanding feature of Plate is the ability to add custom DOM attributes to any element or leaf using the attributes property. These attributes are passed to the node component using the nodeProps prop. It has come to our attention that this feature can be used for malicious purposes, including cross-site scripting (XSS) and information exposure (specifically, users' IP addresses and whether or not they have opened a malicious document). Note that the risk of information exposure via attributes is only relevant to applications in which web requests to arbitrary URLs are not ordinarily allowed. Plate editors that allow users to embed images from arbitrary URLs, for example, already carry the risk of leaking users' IP addresses to third parties. All Plate editors using an affected version of @udecode/plate-core are vulnerable to these information exposure attacks via the style attribute and other attributes that can cause web requests to be sent. In addition, whether or not a Plate editor is vulnerable to cross-site scripting attacks using attributes depends on a number of factors. The most likely DOM attributes to be vulnerable are href and src on links and iframes respectively. Any component that spreads {...nodeProps} onto an <a> or <iframe> element and does not later override href or src will be vulnerable to XSS. In patched versions of Plate, we have disabled element.attributes and leaf.attributes for most attribute names by default, with some exceptions including target, alt, width, height, colspan and rowspan on the link, image, video, table cell and table header cell plugins. If this is a breaking change for you, you can selectively re-enable attributes for certain plugins as follows. Please carefully research and assess the security implications of any attribute you allow, as even seemingly innocuous attributes such as style can be used maliciously. If you are unable to upgrade to any of the patched versions, you should use a tool like patch-package or yarn patch to remove the logic from @udecode/plate-core that adds attributes to nodeProps.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@udecode/plate-corenpm | >= 37.0.0, < 38.0.6 | 38.0.6 |
@udecode/plate-corenpm | >= 22.0.0, < 36.5.9 | 36.5.9 |
@udecode/plate-corenpm | < 21.5.1 | 21.5.1 |
Patches
2a1002ddd6a5d12 files changed · +323 −90
.changeset/loud-lemons-tickle.md+5 −0 added@@ -0,0 +1,5 @@ +--- +'@udecode/plate-link': patch +--- + +Add the `target` attribute to `dangerouslyAllowAttributes` for LinkPlugin
.changeset/lovely-taxis-bake.md+8 −0 added@@ -0,0 +1,8 @@ +--- +'@udecode/plate-media': patch +--- + +Add the following attributes to `dangerouslyAllowAttributes`: + +- ImagePlugin: `alt`, `width`, `height` +- VideoPlugin: `width`, `height`
.changeset/olive-shrimps-joke.md+32 −0 added@@ -0,0 +1,32 @@ +--- +'@udecode/plate-core': patch +--- + +Mitigate XSS in `element.attributes` by requiring all attribute names to be allowlisted in the `node.dangerouslyAllowAttributes` plugin configuration option. + +Migration: + +For each plugin that needs to support passing DOM attributes using `element.attributes`, add the list of allowed attributes to the `node.dangerouslyAllowAttributes` option of the plugin. + +```ts +const ImagePlugin = createPlatePlugin({ + key: 'image', + node: { + isElement: true, + isVoid: true, + dangerouslyAllowAttributes: ['alt'], + }, +}); +``` + +To modify existing plugins, use the `extend` method as follows: + +```ts +const MyImagePlugin = ImagePlugin.extend({ + node: { + dangerouslyAllowAttributes: ['alt'], + }, +}); +``` + +WARNING: Improper use of `dangerouslyAllowAttributes` WILL make your application vulnerable to cross-site scripting (XSS) or information exposure attacks. Ensure you carefully research the security implications of any attribute before adding it. For example, the `src` and `href` attributes will allow attackers to execute arbitrary code, and the `style` and `background` attributes will allow attackers to leak users' IP addresses.
.changeset/silver-flies-relax.md+5 −0 added@@ -0,0 +1,5 @@ +--- +'@udecode/plate-table': patch +--- + +Add the `colspan` and `rowspan` attributes to `dangerouslyAllowAttributes` for TableCellPlugin and TableCellHeaderPlugin
packages/core/src/lib/plugin/BasePlugin.ts+31 −0 modified@@ -93,6 +93,37 @@ export type BasePluginNode = { */ type: string; + /** + * Controls which (if any) attribute names in the `attributes` property of an + * element will be passed as `nodeProps` to the {@link NodeComponent}, and + * subsequently rendered as DOM attributes. + * + * WARNING: If used improperly, this property WILL make your application + * vulnerable to cross-site scripting (XSS) or information exposure attacks. + * + * For example, if the `href` attribute is allowed and the component passes + * `nodeProps` to an `<a>` element, then attackers can direct users to open a + * document containing a malicious link element: + * + * { type: 'link', url: 'https://safesite.com/', attributes: { href: + * 'javascript:alert("xss")' }, children: [{ text: 'Click me' }], } + * + * The same is true of the `src` attribute when passed to certain HTML + * elements, such as `<iframe>`. + * + * If the `style` attribute (or another attribute that can load URLs, such as + * `background`) is allowed, then attackers can direct users to open a + * document that will send a HTTP request to an arbitrary URL. This can leak + * the victim's IP address or confirm to the attacker that the victim opened + * the document. + * + * Before allowing any attribute name, ensure that you thoroughly research and + * assess any potential risks associated with it. + * + * @default [ ] + */ + dangerouslyAllowAttributes?: string[]; + /** * Indicates if this plugin's nodes should be rendered as elements. Used by * Plate for {@link NodeComponent} rendering as elements.
packages/core/src/react/components/Plate.spec.tsx+123 −1 modified@@ -6,7 +6,11 @@ import { type Value, isBlock, setNodes } from '@udecode/slate'; import isEqual from 'lodash/isEqual'; import memoize from 'lodash/memoize'; -import type { PlatePlugins } from '../plugin'; +import type { + PlatePlugins, + PlateRenderElementProps, + PlateRenderLeafProps, +} from '../plugin'; import { type SlatePlugins, createSlatePlugin } from '../../lib'; import { createPlateEditor, usePlateEditor } from '../editor'; @@ -470,4 +474,122 @@ describe('Plate', () => { expect(mountCount).toBe(2); }); }); + + describe('User-defined attributes', () => { + const ParagraphElement = ({ + attributes, + children, + nodeProps, + }: PlateRenderElementProps) => ( + <p {...attributes} {...nodeProps} data-testid="paragraph"> + {children} + </p> + ); + + const BoldLeaf = ({ + attributes, + children, + nodeProps, + }: PlateRenderLeafProps) => ( + <strong {...attributes} {...nodeProps} data-testid="bold"> + {children} + </strong> + ); + + const getParagraphPlugin = (dangerouslyAllowAttributes: boolean) => + createPlatePlugin({ + key: 'p', + node: { + component: ParagraphElement, + dangerouslyAllowAttributes: dangerouslyAllowAttributes + ? ['data-my-paragraph-attribute'] + : undefined, + isElement: true, + }, + }); + + const getBoldPlugin = (dangerouslyAllowAttributes: boolean) => + createPlatePlugin({ + key: 'bold', + node: { + component: BoldLeaf, + dangerouslyAllowAttributes: dangerouslyAllowAttributes + ? ['data-my-bold-attribute'] + : undefined, + isLeaf: true, + }, + }); + + const initialValue = [ + { + attributes: { + 'data-my-paragraph-attribute': 'hello', + 'data-unpermitted-paragraph-attribute': 'world', + }, + children: [ + { + attributes: { + 'data-my-bold-attribute': 'hello', + 'data-unpermitted-bold-attribute': 'world', + }, + bold: true, + text: 'My bold paragraph', + }, + ], + type: 'p', + }, + ]; + + const Editor = ({ + dangerouslyAllowAttributes, + }: { + dangerouslyAllowAttributes: boolean; + }) => { + const editor = usePlateEditor({ + plugins: [ + getParagraphPlugin(dangerouslyAllowAttributes), + getBoldPlugin(dangerouslyAllowAttributes), + ], + value: initialValue, + }); + + return ( + <Plate editor={editor}> + <PlateContent /> + </Plate> + ); + }; + + it('renders no user-defined attributes by default', () => { + const { getByTestId } = render( + <Editor dangerouslyAllowAttributes={false} /> + ); + + const paragraphEl = getByTestId('paragraph'); + expect(Object.keys(paragraphEl.dataset)).toEqual(['slateNode', 'testid']); + + const boldEl = getByTestId('bold'); + expect(Object.keys(boldEl.dataset)).toEqual(['slateLeaf', 'testid']); + }); + + it('renders allowed user-defined attributes', () => { + const { getByTestId } = render( + <Editor dangerouslyAllowAttributes={true} /> + ); + + const paragraphEl = getByTestId('paragraph'); + expect(Object.keys(paragraphEl.dataset)).toEqual([ + 'slateNode', + 'myParagraphAttribute', + 'testid', + ]); + + const boldEl = getByTestId('bold'); + expect(Object.keys(boldEl.dataset)).toEqual([ + 'slateLeaf', + 'myBoldAttribute', + 'testid', + ]); + }); + }); });
packages/core/src/react/utils/getRenderNodeProps.ts+15 −3 modified@@ -1,6 +1,7 @@ import type { AnyObject } from '@udecode/utils'; import { clsx } from 'clsx'; +import pick from 'lodash/pick.js'; import type { PlateEditor } from '../editor'; import type { AnyEditorPlatePlugin } from '../plugin/PlatePlugin'; @@ -10,8 +11,9 @@ import { getSlateClass } from '../../lib'; import { getEditorPlugin } from '../plugin'; /** - * Override node props with plugin props. `props.element.attributes` are passed - * as `nodeProps`. Extend the class name with the node type. + * Override node props with plugin props. Allowed properties in + * `props.element.attributes` are passed as `nodeProps`. Extend the class name + * with the node type. */ export const getRenderNodeProps = ({ attributes, @@ -33,7 +35,17 @@ export const getRenderNodeProps = ({ : plugin.node.props) ?? {}; } if (!newProps.nodeProps && attributes) { - newProps.nodeProps = attributes; + /** + * WARNING: Improper use of `dangerouslyAllowAttributes` WILL make your + * application vulnerable to cross-site scripting (XSS) or information + * exposure attacks. + * + * @see {@link BasePluginNode.dangerouslyAllowAttributes} + */ + newProps.nodeProps = pick( + attributes, + plugin.node.dangerouslyAllowAttributes ?? [] + ); } props = { ...props, ...newProps };
packages/link/src/lib/BaseLinkPlugin.ts+5 −1 modified@@ -93,7 +93,11 @@ export type BaseLinkConfig = PluginConfig< export const BaseLinkPlugin = createTSlatePlugin<BaseLinkConfig>({ key: 'a', extendEditor: withLink, - node: { isElement: true, isInline: true }, + node: { + dangerouslyAllowAttributes: ['target'], + isElement: true, + isInline: true, + }, options: { allowedSchemes: ['http', 'https', 'mailto', 'tel'], dangerouslySkipSanitization: false,
packages/media/src/lib/BaseVideoPlugin.ts+5 −1 modified@@ -6,5 +6,9 @@ export interface TVideoElement extends TMediaElement {} export const BaseVideoPlugin = createSlatePlugin({ key: 'video', - node: { isElement: true, isVoid: true }, + node: { + dangerouslyAllowAttributes: ['width', 'height'], + isElement: true, + isVoid: true, + }, });
packages/media/src/lib/image/BaseImagePlugin.ts+5 −1 modified@@ -30,7 +30,11 @@ export type ImageConfig = PluginConfig< export const BaseImagePlugin = createTSlatePlugin<ImageConfig>({ key: 'img', extendEditor: withImage, - node: { isElement: true, isVoid: true }, + node: { + dangerouslyAllowAttributes: ['alt', 'width', 'height'], + isElement: true, + isVoid: true, + }, }).extend(({ plugin }) => ({ parsers: { html: {
packages/table/src/lib/BaseTablePlugin.ts+8 −2 modified@@ -25,7 +25,10 @@ export const BaseTableRowPlugin = createSlatePlugin({ export const BaseTableCellPlugin = createSlatePlugin({ key: 'td', - node: { isElement: true }, + node: { + dangerouslyAllowAttributes: ['colspan', 'rowspan'], + isElement: true, + }, }).extend(({ type }) => ({ parsers: { html: { @@ -40,7 +43,10 @@ export const BaseTableCellPlugin = createSlatePlugin({ export const BaseTableCellHeaderPlugin = createSlatePlugin({ key: 'th', - node: { isElement: true }, + node: { + dangerouslyAllowAttributes: ['colspan', 'rowspan'], + isElement: true, + }, }).extend(({ type }) => ({ parsers: { html: {
yarn.lock+81 −81 modified@@ -560,7 +560,7 @@ __metadata: languageName: node linkType: hard -"@changesets/cli@npm:^2.27.8": +"@changesets/cli@npm:^2.27.7": version: 2.27.8 resolution: "@changesets/cli@npm:2.27.8" dependencies: @@ -636,13 +636,13 @@ __metadata: languageName: node linkType: hard -"@changesets/get-github-info@npm:^0.6.0": - version: 0.6.0 - resolution: "@changesets/get-github-info@npm:0.6.0" +"@changesets/get-github-info@npm:^0.5.2": + version: 0.5.2 + resolution: "@changesets/get-github-info@npm:0.5.2" dependencies: dataloader: "npm:^1.4.0" node-fetch: "npm:^2.5.0" - checksum: 10c0/21fde8a8cb48091a8ea8be37defbc0dca5defe10a097025968b273076657f354032803a5db31ffe0fa86ab089383faa981ab674489d31e38bf7bc4dcf981ad79 + checksum: 10c0/702c001d939be544490db4903c63d60a38404348bf6658632e9a8e204b1a96289a604a27aa00da67322331e4cfe3592e7175dbd88736449c203f4664a7c69824 languageName: node linkType: hard @@ -5877,7 +5877,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -5894,7 +5894,7 @@ __metadata: "@udecode/plate-common": "workspace:^" lodash: "npm:^4.17.21" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -5913,7 +5913,7 @@ __metadata: "@udecode/plate-common": "workspace:^" "@udecode/plate-heading": "npm:38.0.1" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -5929,7 +5929,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -5945,7 +5945,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -5961,7 +5961,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -5977,7 +5977,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -5994,7 +5994,7 @@ __metadata: "@udecode/plate-common": "workspace:^" react-textarea-autosize: "npm:^8.5.3" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6013,7 +6013,7 @@ __metadata: delay: "npm:5.0.0" p-defer: "npm:^4.0.1" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6030,7 +6030,7 @@ __metadata: "@udecode/plate-common": "workspace:^" prismjs: "npm:^1.29.0" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6046,7 +6046,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6063,7 +6063,7 @@ __metadata: "@udecode/plate-common": "workspace:^" lodash: "npm:^4.17.21" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6073,17 +6073,17 @@ __metadata: languageName: unknown linkType: soft -"@udecode/plate-common@npm:38.0.1, @udecode/plate-common@workspace:^, @udecode/plate-common@workspace:packages/common": +"@udecode/plate-common@npm:38.0.4, @udecode/plate-common@workspace:^, @udecode/plate-common@workspace:packages/common": version: 0.0.0-use.local resolution: "@udecode/plate-common@workspace:packages/common" dependencies: - "@udecode/plate-core": "npm:38.0.1" - "@udecode/plate-utils": "npm:38.0.1" + "@udecode/plate-core": "npm:38.0.4" + "@udecode/plate-utils": "npm:38.0.4" "@udecode/react-hotkeys": "npm:37.0.0" "@udecode/react-utils": "npm:38.0.1" - "@udecode/slate": "npm:37.0.0" - "@udecode/slate-react": "npm:38.0.1" - "@udecode/slate-utils": "npm:37.0.0" + "@udecode/slate": "npm:38.0.4" + "@udecode/slate-react": "npm:38.0.4" + "@udecode/slate-utils": "npm:38.0.4" "@udecode/utils": "npm:37.0.0" peerDependencies: react: ">=16.8.0" @@ -6095,15 +6095,15 @@ __metadata: languageName: unknown linkType: soft -"@udecode/plate-core@npm:38.0.1, @udecode/plate-core@workspace:^, @udecode/plate-core@workspace:packages/core": +"@udecode/plate-core@npm:38.0.4, @udecode/plate-core@workspace:^, @udecode/plate-core@workspace:packages/core": version: 0.0.0-use.local resolution: "@udecode/plate-core@workspace:packages/core" dependencies: "@udecode/react-hotkeys": "npm:37.0.0" "@udecode/react-utils": "npm:38.0.1" - "@udecode/slate": "npm:37.0.0" - "@udecode/slate-react": "npm:38.0.1" - "@udecode/slate-utils": "npm:37.0.0" + "@udecode/slate": "npm:38.0.4" + "@udecode/slate-react": "npm:38.0.4" + "@udecode/slate-utils": "npm:38.0.4" "@udecode/utils": "npm:37.0.0" clsx: "npm:^2.1.1" is-hotkey: "npm:^0.2.0" @@ -6135,7 +6135,7 @@ __metadata: "@udecode/plate-table": "npm:38.0.1" papaparse: "npm:^5.4.1" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6151,7 +6151,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6167,7 +6167,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.94.0" @@ -6185,7 +6185,7 @@ __metadata: diff-match-patch-ts: "npm:^0.6.0" lodash: "npm:^4.17.21" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6203,7 +6203,7 @@ __metadata: lodash: "npm:^4.17.21" raf: "npm:^3.4.1" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dnd: ">=14.0.0" react-dnd-html5-backend: ">=14.0.0" @@ -6227,7 +6227,7 @@ __metadata: "@udecode/plate-table": "npm:38.0.1" validator: "npm:^13.12.0" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6245,7 +6245,7 @@ __metadata: "@udecode/plate-combobox": "npm:38.0.1" "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6262,7 +6262,7 @@ __metadata: "@excalidraw/excalidraw": "npm:0.16.4" "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6278,7 +6278,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6296,7 +6296,7 @@ __metadata: "@floating-ui/react": "npm:^0.26.23" "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6313,7 +6313,7 @@ __metadata: "@udecode/plate-common": "workspace:^" lodash: "npm:^4.17.21" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6329,7 +6329,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6345,7 +6345,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6361,7 +6361,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6379,7 +6379,7 @@ __metadata: "@udecode/plate-common": "workspace:^" html-entities: "npm:^2.5.2" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6398,7 +6398,7 @@ __metadata: "@udecode/plate-list": "npm:38.0.1" clsx: "npm:^2.1.1" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6414,7 +6414,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6431,7 +6431,7 @@ __metadata: "@udecode/plate-common": "workspace:^" juice: "npm:^8.1.0" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6447,7 +6447,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6463,7 +6463,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6479,7 +6479,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6497,7 +6497,7 @@ __metadata: "@udecode/plate-floating": "npm:38.0.1" "@udecode/plate-normalizers": "npm:38.0.1" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6515,7 +6515,7 @@ __metadata: "@udecode/plate-reset-node": "npm:38.0.1" lodash: "npm:^4.17.21" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6534,7 +6534,7 @@ __metadata: remark-parse: "npm:^9.0.0" unified: "npm:^11.0.5" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6552,7 +6552,7 @@ __metadata: "@udecode/plate-common": "workspace:^" katex: "npm:0.16.11" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6569,7 +6569,7 @@ __metadata: "@udecode/plate-common": "workspace:^" js-video-url-parser: "npm:^0.5.1" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6586,7 +6586,7 @@ __metadata: "@udecode/plate-combobox": "npm:38.0.1" "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6603,7 +6603,7 @@ __metadata: "@udecode/plate-common": "workspace:^" lodash: "npm:^4.17.21" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6620,7 +6620,7 @@ __metadata: "@udecode/plate-common": "workspace:^" lodash: "npm:^4.17.21" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6637,7 +6637,7 @@ __metadata: "@udecode/plate-common": "workspace:^" peerDependencies: "@playwright/test": ">=1.42.1" - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6653,7 +6653,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6669,7 +6669,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6685,7 +6685,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6702,7 +6702,7 @@ __metadata: "@udecode/plate-common": "workspace:^" copy-to-clipboard: "npm:^3.3.3" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6719,7 +6719,7 @@ __metadata: "@udecode/plate-combobox": "npm:38.0.1" "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6737,7 +6737,7 @@ __metadata: "@udecode/plate-diff": "npm:38.0.0" lodash: "npm:^4.17.21" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6754,7 +6754,7 @@ __metadata: "@udecode/plate-common": "workspace:^" tabbable: "npm:^6.2.0" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6772,7 +6772,7 @@ __metadata: "@udecode/plate-resizable": "npm:38.0.0" lodash: "npm:^4.17.21" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6799,7 +6799,7 @@ __metadata: "@udecode/plate-node-id": "npm:38.0.1" lodash: "npm:^4.17.21" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6815,7 +6815,7 @@ __metadata: dependencies: "@udecode/plate-common": "workspace:^" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6856,15 +6856,15 @@ __metadata: languageName: unknown linkType: soft -"@udecode/plate-utils@npm:38.0.1, @udecode/plate-utils@workspace:^, @udecode/plate-utils@workspace:packages/plate-utils": +"@udecode/plate-utils@npm:38.0.4, @udecode/plate-utils@workspace:^, @udecode/plate-utils@workspace:packages/plate-utils": version: 0.0.0-use.local resolution: "@udecode/plate-utils@workspace:packages/plate-utils" dependencies: - "@udecode/plate-core": "npm:38.0.1" + "@udecode/plate-core": "npm:38.0.4" "@udecode/react-utils": "npm:38.0.1" - "@udecode/slate": "npm:37.0.0" - "@udecode/slate-react": "npm:38.0.1" - "@udecode/slate-utils": "npm:37.0.0" + "@udecode/slate": "npm:38.0.4" + "@udecode/slate-react": "npm:38.0.4" + "@udecode/slate-utils": "npm:38.0.4" "@udecode/utils": "npm:37.0.0" clsx: "npm:^2.1.1" lodash: "npm:^4.17.21" @@ -6887,7 +6887,7 @@ __metadata: "@udecode/plate-common": "workspace:^" yjs: "npm:^13.6.19" peerDependencies: - "@udecode/plate-common": ">=38.0.1" + "@udecode/plate-common": ">=38.0.4" react: ">=16.8.0" react-dom: ">=16.8.0" slate: ">=0.103.0" @@ -6910,7 +6910,7 @@ __metadata: "@udecode/plate-code-block": "npm:38.0.1" "@udecode/plate-combobox": "npm:38.0.1" "@udecode/plate-comments": "npm:38.0.1" - "@udecode/plate-common": "npm:38.0.1" + "@udecode/plate-common": "npm:38.0.4" "@udecode/plate-csv": "npm:38.0.1" "@udecode/plate-diff": "npm:38.0.0" "@udecode/plate-docx": "npm:38.0.1" @@ -6975,12 +6975,12 @@ __metadata: languageName: unknown linkType: soft -"@udecode/slate-react@npm:38.0.1, @udecode/slate-react@workspace:^, @udecode/slate-react@workspace:packages/slate-react": +"@udecode/slate-react@npm:38.0.4, @udecode/slate-react@workspace:^, @udecode/slate-react@workspace:packages/slate-react": version: 0.0.0-use.local resolution: "@udecode/slate-react@workspace:packages/slate-react" dependencies: "@udecode/react-utils": "npm:38.0.1" - "@udecode/slate": "npm:37.0.0" + "@udecode/slate": "npm:38.0.4" "@udecode/utils": "npm:37.0.0" peerDependencies: react: ">=16.8.0" @@ -6991,11 +6991,11 @@ __metadata: languageName: unknown linkType: soft -"@udecode/slate-utils@npm:37.0.0, @udecode/slate-utils@workspace:^, @udecode/slate-utils@workspace:packages/slate-utils": +"@udecode/slate-utils@npm:38.0.4, @udecode/slate-utils@workspace:^, @udecode/slate-utils@workspace:packages/slate-utils": version: 0.0.0-use.local resolution: "@udecode/slate-utils@workspace:packages/slate-utils" dependencies: - "@udecode/slate": "npm:37.0.0" + "@udecode/slate": "npm:38.0.4" "@udecode/utils": "npm:37.0.0" lodash: "npm:^4.17.21" peerDependencies: @@ -7004,7 +7004,7 @@ __metadata: languageName: unknown linkType: soft -"@udecode/slate@npm:37.0.0, @udecode/slate@workspace:^, @udecode/slate@workspace:packages/slate": +"@udecode/slate@npm:38.0.4, @udecode/slate@workspace:^, @udecode/slate@workspace:packages/slate": version: 0.0.0-use.local resolution: "@udecode/slate@workspace:packages/slate" dependencies: @@ -16727,8 +16727,8 @@ __metadata: version: 0.0.0-use.local resolution: "plate@workspace:." dependencies: - "@changesets/cli": "npm:^2.27.8" - "@changesets/get-github-info": "npm:^0.6.0" + "@changesets/cli": "npm:^2.27.7" + "@changesets/get-github-info": "npm:^0.5.2" "@dword-design/eslint-plugin-import-alias": "npm:^5.1.1" "@ianvs/prettier-plugin-sort-imports": "npm:^4.3.1" "@playwright/test": "npm:1.47.0"
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-73rg-f94j-xvhxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47061ghsaADVISORY
- github.com/udecode/plate/commit/16df6074edac22d56c60e0283eae0740230401c9ghsaWEB
- github.com/udecode/plate/security/advisories/GHSA-73rg-f94j-xvhxnvdWEB
- www.npmjs.com/package/patch-packagenvdWEB
- yarnpkg.com/cli/patchnvdWEB
News mentions
0No linked articles in our index yet.