security: upgrade frontend dependencies and migrate markdown to marked#7720
Open
wtfiwtz wants to merge 2 commits into
Open
security: upgrade frontend dependencies and migrate markdown to marked#7720wtfiwtz wants to merge 2 commits into
wtfiwtz wants to merge 2 commits into
Conversation
Upgrade security-critical frontend dependencies and replace the deprecated markdown package with marked for better security and maintenance. Core dependency upgrades: - axios: 0.27.2/0.28.0 → 1.16.0 (critical security fixes) - dompurify: ^2.x → ^3.4.0 (XSS protection updates) - lodash: ^4.17.x → ^4.18.0 - markdown removed; replaced with marked: ^4.3.0 - elliptic removed (no longer needed) Build tool updates: - webpack-manifest-plugin: ^6.0.1 → ^5.0.1 (CommonJS compat fix) - babel-plugin-istanbul: ^6 → ^8.0.0 - Remove babel-plugin-transform-builtin-extend - @babel/preset-env: ^7.29.0 → ^7.29.5 - Add core-js: ^2.6.12 - webpack-dev-server: ^5.2.3 → ^5.2.4 - Remove unused request-cookies Transitive vulnerability fixes via pnpm.overrides: - minimatch, picomatch, micromatch, cookie, tough-cookie - lodash.template: 4.18.1 (CVE-2026-4800 fix) - qs, cross-spawn, braces, tar, tar-fs, serialize-javascript - nth-check, webpack, js-yaml, tmp, bn.js, ip-address - path-to-regexp@0.1.12 → 0.1.13 - postcss, autoprefixer, fast-uri - @cypress/request override for request package Code changes: - Migrate markdown.toHTML() → marked.parse() in TextboxDialog.jsx - Migrate markdown.toHTML() → marked.parse() in TextboxWidget.jsx - viz-lib: split build:babel into build:babel and build:babel:with-types - Remove @types/dompurify (no longer needed for dompurify v3) Co-authored-by: Cursor <cursoragent@cursor.com>
This was referenced Jun 1, 2026
DOMPurify 3.x sanitize() infers TrustedHTML | string, which breaks tsc --emitDeclarationOnly unless the default export is annotated. Co-authored-by: Cursor <cursoragent@cursor.com>
4 tasks
Author
|
@eradman @arikfr @yoshiokatsuneo @zachliu ready for review |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 12 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="client/cypress/cypress.js">
<violation number="1" location="client/cypress/cypress.js:55">
P2: CSRF token is captured once before the loop and never refreshed from updated cookie jar</violation>
</file>
<file name="viz-lib/package.json">
<violation number="1" location="viz-lib/package.json:12">
P1: `build:babel` no longer generates type declarations, silently breaking root `package.json` callers that rely on the old contract (e.g., `build:viz` and `postinstall` scripts).</violation>
</file>
Tip: cubic can generate docs of your entire codebase and keep them up to date. Try it here.
Re-trigger cubic
| "build:babel:base": "babel src --out-dir lib --source-maps --ignore 'src/**/*.test.js' --copy-files --no-copy-ignored --extensions .ts,.tsx,.js,.jsx", | ||
| "build:babel": "pnpm run type-gen && pnpm run build:babel:base", | ||
| "build:babel:with-types": "pnpm run type-gen && pnpm run build:babel:base", | ||
| "build:babel": "pnpm run build:babel:base", |
Contributor
There was a problem hiding this comment.
P1: build:babel no longer generates type declarations, silently breaking root package.json callers that rely on the old contract (e.g., build:viz and postinstall scripts).
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At viz-lib/package.json, line 12:
<comment>`build:babel` no longer generates type declarations, silently breaking root `package.json` callers that rely on the old contract (e.g., `build:viz` and `postinstall` scripts).</comment>
<file context>
@@ -8,9 +8,10 @@
"build:babel:base": "babel src --out-dir lib --source-maps --ignore 'src/**/*.test.js' --copy-files --no-copy-ignored --extensions .ts,.tsx,.js,.jsx",
- "build:babel": "pnpm run type-gen && pnpm run build:babel:base",
+ "build:babel:with-types": "pnpm run type-gen && pnpm run build:babel:base",
+ "build:babel": "pnpm run build:babel:base",
"build:webpack": "webpack",
- "build": " NODE_ENV=production npm-run-all clean build:babel build:webpack",
</file context>
| console.log(`GET /login failed: ${err.message}`); | ||
| } | ||
|
|
||
| const csrfToken = cookieJar.csrf_token; |
Contributor
There was a problem hiding this comment.
P2: CSRF token is captured once before the loop and never refreshed from updated cookie jar
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At client/cypress/cypress.js, line 55:
<comment>CSRF token is captured once before the loop and never refreshed from updated cookie jar</comment>
<file context>
@@ -14,31 +12,76 @@ try {
+ console.log(`GET /login failed: ${err.message}`);
+ }
+
+ const csrfToken = cookieJar.csrf_token;
+
+ for (const request of seedValues) {
</file context>
Author
CVE / advisory coverage for PR #7720 (
|
| Package / change | CVE / GHSA |
|---|---|
| lodash.template override → 4.18.1 | CVE-2026-4800 |
| @babel/plugin-transform-modules-systemjs ^7.29.4 | CVE-2026-44728 |
| fast-uri ^3.1.2 | CVE-2026-6321, CVE-2026-6322 |
| postcss ^8.5.10 | CVE-2026-41305, CVE-2023-44270 |
| webpack-dev-server ^5.2.4 | CVE-2025-30359, CVE-2026-6402 |
| Remove babel-plugin-transform-builtin-extend | CVE-2023-45133 (Babel 6 / babel-traverse chain) |
| Remove elliptic (unused direct dep) | CVE-2025-14505 (mitigation — no patched elliptic release) |
| markdown → marked ^4.3.0 | GHSA-wx77-rp39-c6vg (ReDoS; no fix available for markdown) |
request → @cypress/request alias |
GHSA-p8p7-x288-28g6 (SSRF in legacy request) |
Direct dependency upgrades (security-relevant)
| Package | Change | Typical advisory coverage |
|---|---|---|
| axios | 0.27/0.28 → 1.16.0 | Multiple critical axios 0.x GHSAs (SSRF, CSRF, DoS) |
| dompurify | ^2 → ^3.4.0 | XSS bypass fixes in DOMPurify 3.x |
| lodash | ^4.17 → ^4.18.0 | Prototype pollution / ReDoS fixes |
| @babel/preset-env | ^7.29.0 → ^7.29.5 | Bundled with Babel override pins above |
| babel-plugin-istanbul | ^6 → ^8.0.0 | Tooling compatibility (Jest + minimatch override) |
| core-js ^2.6.12 | Added explicit devDependency | Build fix after removing babel-plugin-transform-builtin-extend (not a CVE fix itself) |
Transitive fixes via pnpm.overrides
These address ECR/npm-audit findings; specific CVE IDs vary by nested package:
minimatch, picomatch, micromatch, cookie, tough-cookie, qs, cross-spawn, braces, tar, tar-fs, serialize-javascript, nth-check, webpack, js-yaml, tmp, bn.js, ip-address, path-to-regexp@0.1.12 → 0.1.13, form-data, follow-redirects, basic-ftp, flatted, autoprefixer, and related pins.
Known remaining frontend issues (not in scope for this PR)
| Package | CVEs | Notes |
|---|---|---|
| bootstrap@3.4.1 | CVE-2019-8331, CVE-2025-1647 | Bootstrap 3 is EOL; Redash uses Bootstrap for Less/CSS only (tooltips/popovers use Ant Design). Markdown widget output is sanitized via DOMPurify. |
Out of scope for this PR (other split PRs)
- Python / Werkzeug / authlib CVEs → PR security: upgrade Python dependencies to Flask 2.3.3 and Werkzeug 3.1.6 #7719 / feat: upgrade to Flask 3.1.3 and SQLAlchemy 1.4.53 #7722
- urllib3 2.x + champion SSRF → PR feat: replace advocate with champion and upgrade urllib3 to 2.x #7721
- Debian OS / Docker build-time CVEs → PR build: upgrade base images to Debian trixie and Poetry 2.4.1 #7718
- jwcrypto 1.5.6 → 1.5.7 (CVE-2026-39373) — not included in any split branch yet
This was referenced Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrade security-critical frontend dependencies and replace the deprecated markdown package with marked for better security and maintenance.
Core dependency upgrades:
Build tool updates:
Transitive vulnerability fixes via pnpm.overrides:
Code changes:
What type of PR is this?
Description
How is this tested?
Related Tickets & Documents
Mobile & Desktop Screenshots/Recordings (if there are UI changes)