From e56b0333d41e4ded268418ce9d2676e310180010 Mon Sep 17 00:00:00 2001 From: Guy Korland Date: Tue, 10 Mar 2026 13:15:51 +0200 Subject: [PATCH] Fix prismjs DOM Clobbering vulnerability (Dependabot #45) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add npm override in app/package.json to force prismjs ^1.30.0, resolving the vulnerable 1.27.0 version nested under refractor 3.x (transitive dep of react-syntax-highlighter). Note: The remaining Dependabot alerts (pypdf #47-60, requests #46) cannot be fixed here — they are pinned by upstream dependencies (graphrag-sdk pins pypdf<6.0.0, multilspy pins requests==2.32.3). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- app/package-lock.json | 9 --------- app/package.json | 3 +++ 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/app/package-lock.json b/app/package-lock.json index 0b782f8..78f00c6 100644 --- a/app/package-lock.json +++ b/app/package-lock.json @@ -4380,15 +4380,6 @@ "url": "https://github.com/sponsors/wooorm" } }, - "node_modules/refractor/node_modules/prismjs": { - "version": "1.27.0", - "resolved": "https://registry.npmjs.org/prismjs/-/prismjs-1.27.0.tgz", - "integrity": "sha512-t13BGPUlFDR7wRB5kQDG4jjl7XeuH6jbJGt11JHPL96qwsEHNX2+68tFXqc1/k+/jALsbSWJKUOT/hcYAZ5LkA==", - "license": "MIT", - "engines": { - "node": ">=6" - } - }, "node_modules/resolve": { "version": "1.22.11", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.11.tgz", diff --git a/app/package.json b/app/package.json index f56b842..f921de3 100644 --- a/app/package.json +++ b/app/package.json @@ -41,6 +41,9 @@ "tailwindcss-animate": "^1.0.7", "vaul": "^1.1.2" }, + "overrides": { + "prismjs": "^1.30.0" + }, "devDependencies": { "@types/node": "^20.19.4", "@types/react": "^18.3.18",