Fix prismjs DOM Clobbering vulnerability (Dependabot #45)

[gkorland]

Summary

Fixes the prismjs DOM Clobbering vulnerability (Dependabot alert #45).

Change

Added an npm overrides section in app/package.json to force prismjs ^1.30.0, eliminating the vulnerable 1.27.0 version that was nested under refractor 3.x (transitive dependency of react-syntax-highlighter).

Verification

• Frontend builds successfully
• npm audit reports 0 vulnerabilities

Remaining alerts (not fixable here)

Alert	Package	Blocked by
#47–60 (14 alerts)	pypdf <6.0.0	graphrag-sdk 0.8.2 pins pypdf>=5.9.0,<6.0.0
#46	requests <2.32.4	multilspy pins requests==2.32.3

These require upstream dependency updates to resolve.

Summary by CodeRabbit

• Chores
  • Added a top-level overrides entry that pins prismjs to ^1.30.0 for dependency resolution.
  • Ensures a consistent prismjs version is used during installs, reducing variation across environments.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
code-graph	Error		Mar 10, 2026 11:16am

[coderabbitai]

Warning

Rate limit exceeded

@gkorland has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 40 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5f647b00-2313-4ba6-86b3-a844792f0eb8

📥 Commits

Reviewing files that changed from the base of the PR and between 590fe45 and ce27741.

⛔ Files ignored due to path filters (1)

• app/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• app/package.json

📝 Walkthrough

Walkthrough

Added a top-level overrides section to app/package.json that pins prismjs to ^1.30.0 for dependency resolution. No other package metadata, scripts, or functional code were changed.

Changes

Cohort / File(s)	Summary
Package Configuration app/package.json	Inserted a top-level overrides object with "prismjs": "^1.30.0" to enforce dependency resolution.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 I hopped into package land tonight,
Pinned prismjs snug and tight,
Versions tidy, conflicts light,
Syntax gleams in morning's light,
Hooray — the build feels just right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing a prismjs DOM Clobbering vulnerability by pinning it to version ^1.30.0 via npm overrides.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-security-alerts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR addresses Dependabot alert #45 by ensuring the frontend no longer installs the vulnerable transitive prismjs@1.27.0 (previously nested under refractor via react-syntax-highlighter), and instead resolves prismjs to 1.30.0.

Changes:

• Added an npm overrides rule in app/package.json to force prismjs to ^1.30.0.
• Updated app/package-lock.json to remove the nested refractor/node_modules/prismjs@1.27.0 entry and resolve node_modules/prismjs to 1.30.0.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
app/package.json	Adds overrides to force a non-vulnerable prismjs version across the dependency tree.
app/package-lock.json	Removes the nested vulnerable prismjs@1.27.0 and confirms prismjs@1.30.0 is the installed version.

Files not reviewed (1)

• app/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[gkorland]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[gkorland]

Agent Review Summary

Review Comments

No actionable review comments found — both Copilot PR reviewer and CodeRabbit reported no issues.

Rebase

Branch was 11 commits behind staging. Successfully rebased and force-pushed (--force-with-lease).

Tests

No new tests needed — this change only adds an npm overrides entry to pin prismjs ^1.30.0, removing the vulnerable transitive 1.27.0. Existing Playwright E2E tests cover frontend functionality.

CI Status

All checks passing ✅

• Build: ✅
• Docker build: ✅
• CodeQL (4 analyses): ✅
• Playwright Tests (2 shards): ✅
• CodeRabbit: ✅