Fix prismjs DOM Clobbering vulnerability (Dependabot #45)

[gkorland]

Summary

Fixes the prismjs DOM Clobbering vulnerability (Dependabot alert #45).

Change

Added an npm overrides section in app/package.json to force prismjs ^1.30.0, eliminating the vulnerable 1.27.0 version that was nested under refractor 3.x (transitive dependency of react-syntax-highlighter).

Verification

• Frontend builds successfully
• npm audit reports 0 vulnerabilities

Remaining alerts (not fixable here)

Alert	Package	Blocked by
#47–60 (14 alerts)	pypdf <6.0.0	graphrag-sdk 0.8.2 pins pypdf>=5.9.0,<6.0.0
#46	requests <2.32.4	multilspy pins requests==2.32.3

These require upstream dependency updates to resolve.

Summary by CodeRabbit

• Chores
  • Pinned prismjs dependency to version 1.30.0 in package configuration.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
code-graph	Error		Mar 10, 2026 11:16am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2fed735e-0e4a-4ed8-a067-206c6eac1f0c

📥 Commits

Reviewing files that changed from the base of the PR and between be12eda and e56b033.

⛔ Files ignored due to path filters (1)

• app/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• app/package.json

---

📝 Walkthrough

Walkthrough

Added a top-level "overrides" section to app/package.json specifying prismjs version ^1.30.0 to enforce npm dependency resolution. No functional changes or control flow modifications are introduced.

Changes

Cohort / File(s)	Summary
Package Configuration app/package.json	Added "overrides" object at top level specifying prismjs version ^1.30.0 to enforce dependency resolution strategy.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 With whiskers twitching, bright and keen,
I've pinned the prism to pristine!
Version thirty, locked up tight,
Now your syntax shines just right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing a prismjs DOM Clobbering vulnerability by adding an npm override to package.json.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/dependabot-security-alerts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}