[Cycode] Fix for vulnerable manifest file dependency - dompurify updated to version 3.4.0#79
Conversation
…ted to version 3.4.0
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7aefde6. Configure here.
| "@tanstack/react-query": "^4.39.1", | ||
| "date-fns": "^4.1.0", | ||
| "dompurify": "^3.2.4", | ||
| "dompurify": "^3.4.0", |
There was a problem hiding this comment.
Lock file not updated, vulnerable version still installed
High Severity
The package.json now requires dompurify ^3.4.0, but ui/package-lock.json still references and resolves version 3.2.4. Since npm ci (commonly used in CI/CD) installs from the lock file, the vulnerable version will continue to be installed in production. The security fix this PR intends to deliver won't actually take effect until the lock file is regenerated.
Reviewed by Cursor Bugbot for commit 7aefde6. Configure here.
Cycode Vulnerable Dependencies Update
This pull request updates the following manifest file:
ui/app/package.json📂 ui/app/package.json
1 package will be updated to resolve vulnerabilities:
dompurifyWarning
Lock file generation failed for one or more manifest files in this pull request. Please regenerate the lock file manually before merging.
Note
Low Risk
Low risk dependency-only change updating
dompurifyto address a known vulnerability; potential impact is limited to any runtime behavior differences in HTML sanitization.Overview
Updates the UI app’s
dompurifydependency from^3.2.4to^3.4.0inui/app/package.jsonto remediate a vulnerable package version.Reviewed by Cursor Bugbot for commit 7aefde6. Bugbot is set up for automated code reviews on this repo. Configure here.