Bump ckeditor5, @ckeditor/ckeditor5-html-support and @ckeditor/ckeditor5-image in /services/drupal/web/modules/custom/media_inline_embed

[dependabot]

Bumps ckeditor5, @ckeditor/ckeditor5-html-support and @ckeditor/ckeditor5-image. These dependencies needed to be updated together.
Updates ckeditor5 from 34.1.0 to 47.6.0

Release notes

Sourced from ckeditor5's releases.

v47.6.0

We are excited to announce the release of CKEditor 5 v47.6.0.

Security update

A Cross-Site Scripting (XSS) vulnerability has been discovered in the General HTML Support feature (CVE-2026-28343). This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution if the editor instance used an unsafe General HTML Support configuration.

This vulnerability affects only installations where the editor configuration meets the following criteria:

• General HTML Support is enabled,
• General HTML Support configuration allows inserting unsafe markup (see Security section to learn more).

You can read more details in the relevant security advisory and contact us if you have more questions.

Release highlights

This release introduces new list indentation capabilities and expands the customization options for CKEditor AI, giving integrators more control over the AI-powered editing experience.

⭐ CKEditor AI On-premises available

CKEditor AI is now available as an on-premises deployment, giving you full control over the AI service by running it on your infrastructure. The on-premises version supports everything the cloud option offers, plus:

• Custom AI models and providers — use your models from OpenAI, Google Cloud, Microsoft Azure, or self-hosted solutions.
• MCP (Model Context Protocol) support — extend the AI with custom external tools by connecting MCP servers, enabling use cases like searching internal knowledge bases or querying company databases directly from the AI chat.

Learn more about deployment options and MCP support.

⭐ Custom AI Review checks

The AI Review feature now supports custom review commands defined by integrators. Until now, the review was limited to built-in commands like proofreading, clarity, readability, and tone adjustment. With this release, you can create review commands tailored to your editorial guidelines, brand voice, or domain-specific quality standards.

Custom commands are registered via config.ai.review.extraCommands and made visible in the UI through config.ai.review.availableCommands. The same option lets you reorder, filter, or shorten the list of built-in commands to match your needs. See the documentation for details.

⭐ AI Chat Shortcuts

We are introducing AI Chat Shortcuts, a new opt-in plugin that displays configurable shortcut buttons in the AI Chat panel before the first message is sent. Shortcuts provide clear, actionable entry points that guide users toward the most useful AI capabilities. From launching a predefined prompt to starting a specific review or translation flow to navigating directly to the Review or Translate tab.

Integrators define shortcuts with a name, icon, and an action. Each shortcut can also configure which AI capabilities (model, web search, reasoning) are active for the prompt. Learn more in the documentation.

List indentation improvements

We're streamlining and standardizing the way list indentation is handled. With improved UX, it's now possible to indent whole lists and also individual list items with consistent styling and no custom implementation required.

This improvement is compatible with Paste from Office, Export to Word, Export to PDF, and Track Changes plugins. It also provides RTL support.

Upgrade @aws-sdk/client-bedrock-runtime to the latest version

We upgraded @aws-sdk/client-bedrock-runtime to the latest version to address a recently disclosed security vulnerability in the fast-xml-parser dependency. We marked this update as a minor breaking change due to the use of dynamic imports in one of the underlying packages, which may impact certain build environments.

[!WARNING]

... (truncated)

Changelog

Sourced from ckeditor5's changelog.

47.6.0 (March 4, 2026)

We are excited to announce the release of CKEditor 5 v47.6.0.

Security update

A Cross-Site Scripting (XSS) vulnerability has been discovered in the General HTML Support feature (CVE-2026-28343). This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution if the editor instance used an unsafe General HTML Support configuration.

This vulnerability affects only installations where the editor configuration meets the following criteria:

• General HTML Support is enabled,
• General HTML Support configuration allows inserting unsafe markup (see Security section to learn more).

You can read more details in the relevant security advisory and contact us if you have more questions.

Release highlights

This release introduces new list indentation capabilities and expands the customization options for CKEditor AI, giving integrators more control over the AI-powered editing experience.

⭐ CKEditor AI On-premises available

CKEditor AI is now available as an on-premises deployment, giving you full control over the AI service by running it on your infrastructure. The on-premises version supports everything the cloud option offers, plus:

• Custom AI models and providers — use your models from OpenAI, Google Cloud, Microsoft Azure, or self-hosted solutions.
• MCP (Model Context Protocol) support — extend the AI with custom external tools by connecting MCP servers, enabling use cases like searching internal knowledge bases or querying company databases directly from the AI chat.

Learn more about deployment options and MCP support.

⭐ Custom AI Review checks

The AI Review feature now supports custom review commands defined by integrators. Until now, the review was limited to built-in commands like proofreading, clarity, readability, and tone adjustment. With this release, you can create review commands tailored to your editorial guidelines, brand voice, or domain-specific quality standards.

Custom commands are registered via config.ai.review.extraCommands and made visible in the UI through config.ai.review.availableCommands. The same option lets you reorder, filter, or shorten the list of built-in commands to match your needs. See the documentation for details.

⭐ AI Chat Shortcuts

We are introducing AI Chat Shortcuts, a new opt-in plugin that displays configurable shortcut buttons in the AI Chat panel before the first message is sent. Shortcuts provide clear, actionable entry points that guide users toward the most useful AI capabilities. From launching a predefined prompt to starting a specific review or translation flow to navigating directly to the Review or Translate tab.

Integrators define shortcuts with a name, icon, and an action. Each shortcut can also configure which AI capabilities (model, web search, reasoning) are active for the prompt. Learn more in the documentation.

List indentation improvements

We're streamlining and standardizing the way list indentation is handled. With improved UX, it's now possible to indent whole lists and also individual list items with consistent styling and no custom implementation required.

This improvement is compatible with Paste from Office, Export to Word, Export to PDF, and Track Changes plugins. It also provides RTL support.

Upgrade @aws-sdk/client-bedrock-runtime to the latest version

We upgraded @aws-sdk/client-bedrock-runtime to the latest version to address a recently disclosed security vulnerability in the fast-xml-parser dependency. We marked this update as a minor breaking change due to the use of dynamic imports in one of the underlying packages, which may impact certain build environments.

... (truncated)

Commits

• 8d55539 Release: v47.6.0. [skip ci]
• 500b50a Merge pull request #19882 from ckeditor/changelog_to_release
• 154692c Changelog improvements.
• ac8bec4 Merge pull request #19862 from ckeditor/cc/9413
• 39ce955 Changelog for v47.6.0. [skip ci]
• 4d00349 Add a callout for on-premises trials.
• 3059a46 Merge pull request #19859 from ckeditor/cc/ai-docs-review
• 673b1b1 Merge pull request #19856 from ckeditor/ck/19844-list-indent-enablement
• db87357 Merge pull request #19857 from ckeditor/cc/9407
• 3181968 Added AI Chat Shortcuts card to the feature digest.
• Additional commits viewable in compare view

Updates @ckeditor/ckeditor5-html-support from 37.1.0 to 47.6.0

Release notes

Sourced from @​ckeditor/ckeditor5-html-support's releases.

v47.6.0

We are excited to announce the release of CKEditor 5 v47.6.0.

Security update

A Cross-Site Scripting (XSS) vulnerability has been discovered in the General HTML Support feature (CVE-2026-28343). This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution if the editor instance used an unsafe General HTML Support configuration.

This vulnerability affects only installations where the editor configuration meets the following criteria:

• General HTML Support is enabled,
• General HTML Support configuration allows inserting unsafe markup (see Security section to learn more).

You can read more details in the relevant security advisory and contact us if you have more questions.

Release highlights

This release introduces new list indentation capabilities and expands the customization options for CKEditor AI, giving integrators more control over the AI-powered editing experience.

⭐ CKEditor AI On-premises available

CKEditor AI is now available as an on-premises deployment, giving you full control over the AI service by running it on your infrastructure. The on-premises version supports everything the cloud option offers, plus:

• Custom AI models and providers — use your models from OpenAI, Google Cloud, Microsoft Azure, or self-hosted solutions.
• MCP (Model Context Protocol) support — extend the AI with custom external tools by connecting MCP servers, enabling use cases like searching internal knowledge bases or querying company databases directly from the AI chat.

Learn more about deployment options and MCP support.

⭐ Custom AI Review checks

The AI Review feature now supports custom review commands defined by integrators. Until now, the review was limited to built-in commands like proofreading, clarity, readability, and tone adjustment. With this release, you can create review commands tailored to your editorial guidelines, brand voice, or domain-specific quality standards.

Custom commands are registered via config.ai.review.extraCommands and made visible in the UI through config.ai.review.availableCommands. The same option lets you reorder, filter, or shorten the list of built-in commands to match your needs. See the documentation for details.

⭐ AI Chat Shortcuts

We are introducing AI Chat Shortcuts, a new opt-in plugin that displays configurable shortcut buttons in the AI Chat panel before the first message is sent. Shortcuts provide clear, actionable entry points that guide users toward the most useful AI capabilities. From launching a predefined prompt to starting a specific review or translation flow to navigating directly to the Review or Translate tab.

Integrators define shortcuts with a name, icon, and an action. Each shortcut can also configure which AI capabilities (model, web search, reasoning) are active for the prompt. Learn more in the documentation.

List indentation improvements

We're streamlining and standardizing the way list indentation is handled. With improved UX, it's now possible to indent whole lists and also individual list items with consistent styling and no custom implementation required.

This improvement is compatible with Paste from Office, Export to Word, Export to PDF, and Track Changes plugins. It also provides RTL support.

Upgrade @aws-sdk/client-bedrock-runtime to the latest version

We upgraded @aws-sdk/client-bedrock-runtime to the latest version to address a recently disclosed security vulnerability in the fast-xml-parser dependency. We marked this update as a minor breaking change due to the use of dynamic imports in one of the underlying packages, which may impact certain build environments.

[!WARNING]

... (truncated)

Changelog

Sourced from @​ckeditor/ckeditor5-html-support's changelog.

47.6.0 (March 4, 2026)

We are excited to announce the release of CKEditor 5 v47.6.0.

Security update

A Cross-Site Scripting (XSS) vulnerability has been discovered in the General HTML Support feature (CVE-2026-28343). This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution if the editor instance used an unsafe General HTML Support configuration.

This vulnerability affects only installations where the editor configuration meets the following criteria:

• General HTML Support is enabled,
• General HTML Support configuration allows inserting unsafe markup (see Security section to learn more).

You can read more details in the relevant security advisory and contact us if you have more questions.

Release highlights

This release introduces new list indentation capabilities and expands the customization options for CKEditor AI, giving integrators more control over the AI-powered editing experience.

⭐ CKEditor AI On-premises available

CKEditor AI is now available as an on-premises deployment, giving you full control over the AI service by running it on your infrastructure. The on-premises version supports everything the cloud option offers, plus:

• Custom AI models and providers — use your models from OpenAI, Google Cloud, Microsoft Azure, or self-hosted solutions.
• MCP (Model Context Protocol) support — extend the AI with custom external tools by connecting MCP servers, enabling use cases like searching internal knowledge bases or querying company databases directly from the AI chat.

Learn more about deployment options and MCP support.

⭐ Custom AI Review checks

The AI Review feature now supports custom review commands defined by integrators. Until now, the review was limited to built-in commands like proofreading, clarity, readability, and tone adjustment. With this release, you can create review commands tailored to your editorial guidelines, brand voice, or domain-specific quality standards.

Custom commands are registered via config.ai.review.extraCommands and made visible in the UI through config.ai.review.availableCommands. The same option lets you reorder, filter, or shorten the list of built-in commands to match your needs. See the documentation for details.

⭐ AI Chat Shortcuts

We are introducing AI Chat Shortcuts, a new opt-in plugin that displays configurable shortcut buttons in the AI Chat panel before the first message is sent. Shortcuts provide clear, actionable entry points that guide users toward the most useful AI capabilities. From launching a predefined prompt to starting a specific review or translation flow to navigating directly to the Review or Translate tab.

Integrators define shortcuts with a name, icon, and an action. Each shortcut can also configure which AI capabilities (model, web search, reasoning) are active for the prompt. Learn more in the documentation.

List indentation improvements

We're streamlining and standardizing the way list indentation is handled. With improved UX, it's now possible to indent whole lists and also individual list items with consistent styling and no custom implementation required.

This improvement is compatible with Paste from Office, Export to Word, Export to PDF, and Track Changes plugins. It also provides RTL support.

Upgrade @aws-sdk/client-bedrock-runtime to the latest version

We upgraded @aws-sdk/client-bedrock-runtime to the latest version to address a recently disclosed security vulnerability in the fast-xml-parser dependency. We marked this update as a minor breaking change due to the use of dynamic imports in one of the underlying packages, which may impact certain build environments.

... (truncated)

Commits

• 8d55539 Release: v47.6.0. [skip ci]
• 154692c Changelog improvements.
• efbd25b Merge pull request #19792 from ckeditor/ck/19757
• 7c71d45 Fix null scenario.
• 568e0d0 Merge stable into master
• e271a3f Docs: Fix non-breaking space.
• 18ee525 Docs: Add the script section to the GHS guide.
• bba83d7 No longer return incorrect keys in attributes result of `getModelDataWithAt...
• 39391fc Update ckeditor5-dev-* packages to 54.3.4.
• ccb6844 Release: v47.5.0. [skip ci]
• Additional commits viewable in compare view

Updates @ckeditor/ckeditor5-image from 30.0.0 to 47.6.0

Release notes

Sourced from @​ckeditor/ckeditor5-image's releases.

v47.6.0

We are excited to announce the release of CKEditor 5 v47.6.0.

Security update

A Cross-Site Scripting (XSS) vulnerability has been discovered in the General HTML Support feature (CVE-2026-28343). This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution if the editor instance used an unsafe General HTML Support configuration.

This vulnerability affects only installations where the editor configuration meets the following criteria:

• General HTML Support is enabled,
• General HTML Support configuration allows inserting unsafe markup (see Security section to learn more).

You can read more details in the relevant security advisory and contact us if you have more questions.

Release highlights

This release introduces new list indentation capabilities and expands the customization options for CKEditor AI, giving integrators more control over the AI-powered editing experience.

⭐ CKEditor AI On-premises available

CKEditor AI is now available as an on-premises deployment, giving you full control over the AI service by running it on your infrastructure. The on-premises version supports everything the cloud option offers, plus:

• Custom AI models and providers — use your models from OpenAI, Google Cloud, Microsoft Azure, or self-hosted solutions.
• MCP (Model Context Protocol) support — extend the AI with custom external tools by connecting MCP servers, enabling use cases like searching internal knowledge bases or querying company databases directly from the AI chat.

Learn more about deployment options and MCP support.

⭐ Custom AI Review checks

The AI Review feature now supports custom review commands defined by integrators. Until now, the review was limited to built-in commands like proofreading, clarity, readability, and tone adjustment. With this release, you can create review commands tailored to your editorial guidelines, brand voice, or domain-specific quality standards.

Custom commands are registered via config.ai.review.extraCommands and made visible in the UI through config.ai.review.availableCommands. The same option lets you reorder, filter, or shorten the list of built-in commands to match your needs. See the documentation for details.

⭐ AI Chat Shortcuts

We are introducing AI Chat Shortcuts, a new opt-in plugin that displays configurable shortcut buttons in the AI Chat panel before the first message is sent. Shortcuts provide clear, actionable entry points that guide users toward the most useful AI capabilities. From launching a predefined prompt to starting a specific review or translation flow to navigating directly to the Review or Translate tab.

Integrators define shortcuts with a name, icon, and an action. Each shortcut can also configure which AI capabilities (model, web search, reasoning) are active for the prompt. Learn more in the documentation.

List indentation improvements

We're streamlining and standardizing the way list indentation is handled. With improved UX, it's now possible to indent whole lists and also individual list items with consistent styling and no custom implementation required.

This improvement is compatible with Paste from Office, Export to Word, Export to PDF, and Track Changes plugins. It also provides RTL support.

Upgrade @aws-sdk/client-bedrock-runtime to the latest version

We upgraded @aws-sdk/client-bedrock-runtime to the latest version to address a recently disclosed security vulnerability in the fast-xml-parser dependency. We marked this update as a minor breaking change due to the use of dynamic imports in one of the underlying packages, which may impact certain build environments.

[!WARNING]

... (truncated)

Changelog

Sourced from @​ckeditor/ckeditor5-image's changelog.

47.6.0 (March 4, 2026)

We are excited to announce the release of CKEditor 5 v47.6.0.

Security update

A Cross-Site Scripting (XSS) vulnerability has been discovered in the General HTML Support feature (CVE-2026-28343). This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution if the editor instance used an unsafe General HTML Support configuration.

This vulnerability affects only installations where the editor configuration meets the following criteria:

• General HTML Support is enabled,
• General HTML Support configuration allows inserting unsafe markup (see Security section to learn more).

You can read more details in the relevant security advisory and contact us if you have more questions.

Release highlights

This release introduces new list indentation capabilities and expands the customization options for CKEditor AI, giving integrators more control over the AI-powered editing experience.

⭐ CKEditor AI On-premises available

CKEditor AI is now available as an on-premises deployment, giving you full control over the AI service by running it on your infrastructure. The on-premises version supports everything the cloud option offers, plus:

• Custom AI models and providers — use your models from OpenAI, Google Cloud, Microsoft Azure, or self-hosted solutions.
• MCP (Model Context Protocol) support — extend the AI with custom external tools by connecting MCP servers, enabling use cases like searching internal knowledge bases or querying company databases directly from the AI chat.

Learn more about deployment options and MCP support.

⭐ Custom AI Review checks

The AI Review feature now supports custom review commands defined by integrators. Until now, the review was limited to built-in commands like proofreading, clarity, readability, and tone adjustment. With this release, you can create review commands tailored to your editorial guidelines, brand voice, or domain-specific quality standards.

Custom commands are registered via config.ai.review.extraCommands and made visible in the UI through config.ai.review.availableCommands. The same option lets you reorder, filter, or shorten the list of built-in commands to match your needs. See the documentation for details.

⭐ AI Chat Shortcuts

We are introducing AI Chat Shortcuts, a new opt-in plugin that displays configurable shortcut buttons in the AI Chat panel before the first message is sent. Shortcuts provide clear, actionable entry points that guide users toward the most useful AI capabilities. From launching a predefined prompt to starting a specific review or translation flow to navigating directly to the Review or Translate tab.

Integrators define shortcuts with a name, icon, and an action. Each shortcut can also configure which AI capabilities (model, web search, reasoning) are active for the prompt. Learn more in the documentation.

List indentation improvements

We're streamlining and standardizing the way list indentation is handled. With improved UX, it's now possible to indent whole lists and also individual list items with consistent styling and no custom implementation required.

This improvement is compatible with Paste from Office, Export to Word, Export to PDF, and Track Changes plugins. It also provides RTL support.

Upgrade @aws-sdk/client-bedrock-runtime to the latest version

We upgraded @aws-sdk/client-bedrock-runtime to the latest version to address a recently disclosed security vulnerability in the fast-xml-parser dependency. We marked this update as a minor breaking change due to the use of dynamic imports in one of the underlying packages, which may impact certain build environments.

... (truncated)

Commits

• 8d55539 Release: v47.6.0. [skip ci]
• 39391fc Update ckeditor5-dev-* packages to 54.3.4.
• ccb6844 Release: v47.5.0. [skip ci]
• 0240450 Upgrade ckeditor5-dev-* to v54.3.3.
• 6128218 Merge pull request #19637 from ckeditor/ck/19636
• fd686ae Bumped ckeditor5-dev-* to the latest version.
• 520a4fe Fix comments.
• ac23d25 Add HTML comparison to image styles manual test.
• f0d39be Fix paste of block images from word.
• de930ce Merge stable into master
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.