chore(deps): bump tinymce and @pega/cosmos-react-work

[dependabot]

Bumps tinymce and @pega/cosmos-react-work. These dependencies needed to be updated together.
Updates tinymce from 6.8.6 to 8.6.0

Changelog

Sourced from tinymce's changelog.

8.6.0 - 2026-06-03

Security

• Updated DOMPurify version to 3.4.5. #TINY-14430

8.5.1 - 2026-05-19

Security

• Fixed media plugin data-mce-object injection leading to stored XSS. #TINY-14357
• Fixed stored XSS vulnerability through mce:protected comments. #TINY-14353
• Fixed stored XSS vulnerability through data-mce- prefixed src, href, style attributes. #TINY-14333

8.5.0 - 2026-04-29

Added

• New content_language option to set the lang attribute on the iframe's html element or the inline editor's target element. #TINY-11214

Improved

• Improved visual styling of inline diff highlights in Suggested Edits and TinyMCE AI plugin. #TINY-13958

Fixed

• Script and style elements would incorrectly be removed by DomPurify when considered valid in the schema. #TINY-9655
• Iframe elements with children would incorrectly be removed by DomPurify. #TINY-9655
• Certain combinations of divs inside of lists would cause issues turning off lists. #TINY-14070
• Certain selections would delete the editor body, causing issues. #TINY-14149
• URIs with non-Latin1 characters were returning an error. #TINY-13938
• Alert and confirm dialogs were not announced properly by some screen readers. #TINY-13812

8.4.0 - 2026-03-31

Added

• New view_show option to display a specified view on initialization. #TINY-11967
• New errorHandler option for dropzone dialog components. #TINY-13420
• The noneditable feature can now be disabled with the new allow_noneditable option. #TINY-10121
• Editor option content_id for uniquely identifying the edited document. #TINY-13379
• New table_default_header_rows and table_default_header_cols options to set the default header size for new tables #TINY-13391

Improved

• The file upload feature of link and image dialogs now provide feedback when an unsupported file type is selected. #TINY-13420
• Directionality buttons now only appear active when directionality is set on the selected block. #TINY-13337
• Directionality buttons now always toggle the directionality attribute on selected blocks. #TINY-13337

Changed

• The border-color style with multiple rgb colors would be compressed into border incorrectly #TINY-13393
• Element Path now uses the ARIA-role "group" with an aria-label #TINY-13338

Fixed

• Now link dialog allows uploading empty files. #TINY-13421
• The link dialog now allows uploading empty files. #TINY-13421
• Bundled content CSS is now loaded into preview iframes. #TINY-13190

... (truncated)

Commits

• 855e368 TINY-14412: Stabilise changelog for 8.6 release
• 15fb98d TINY-14412: Update version for 8.6.0 release
• 9cd93d9 TINY-14430: Updated dompurify to 3.4.5 (#11120)
• cdeb5c1 TINY-14224: Bump version for next patch release
• 03573dd TINY-14224: Fix failing test for 8.5.1 patch release
• e0d0804 TINY-14224: Lint fix for 8.5.1 patch release
• c46e8ee TINY-14224: Add changelog for 8.5.1 patch release
• 8da3e85 TINY-14357: Fixed data-mce-object injection (#18)
• 3507b58 TINY-14353: Fixed stored XSS vulnerability through mce:protected comments (...
• 19f56a7 TINY-14333: Fixed stored XSS vulnerability through data-mce- prefixed src...
• Additional commits viewable in compare view

Updates @pega/cosmos-react-work from 8.15.5 to 9.0.0-build.29.20

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.