Skip to content

[Snyk] Security upgrade js-beautify from 1.15.4 to 2.0.3#2301

Merged
iobuhov merged 3 commits into
mainfrom
snyk-fix-34ac0efc38c844cc0708e9f52328b24e
Jul 9, 2026
Merged

[Snyk] Security upgrade js-beautify from 1.15.4 to 2.0.3#2301
iobuhov merged 3 commits into
mainfrom
snyk-fix-34ac0efc38c844cc0708e9f52328b24e

Conversation

@iobuhov

@iobuhov iobuhov commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

This PR fixes a security vulnerability in the Rich Text widget by updating the js-beautify dependency.

Security Issue

  • CVE: CVE-2026-13149
  • Package: js-beautify
  • Fix: Updated from 1.15.4 to 2.0.3

Changes

  • Updated js-beautify dependency in rich-text-web package
  • Added changelog entry referencing CVE-2026-13149

Test Plan

  • Existing unit and E2E tests pass
  • Widget functionality remains unchanged

🤖 Generated with Claude Code

@iobuhov

iobuhov commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator Author

Merge Risk: High

This major version upgrade introduces significant environmental requirements that are likely to be breaking.

Breaking Changes:

  • Node.js Requirement: The minimum required version of Node.js has been raised to v22.x. This is a substantial jump from the v14 requirement in the 1.14.x series and will likely require a major environment upgrade.
  • Python Support: Support for Python 2 has been completely removed.

Recommendation:
Given the jump to a very recent version of Node.js, proceed with caution. Verify that your development and production environments meet the new Node.js v22 requirement before upgrading. If you are using the Python package, ensure you are on Python 3.

Source: GitHub CHANGELOG

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@iobuhov iobuhov requested a review from a team as a code owner July 2, 2026 13:48
rahmanunver
rahmanunver previously approved these changes Jul 2, 2026
@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

snyk-bot and others added 3 commits July 9, 2026 11:13
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…date

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@iobuhov iobuhov force-pushed the snyk-fix-34ac0efc38c844cc0708e9f52328b24e branch from a1944fb to de6eff3 Compare July 9, 2026 09:14
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

AI Code Review

🔶 Changes requested — one or more medium-severity items must be addressed


What was reviewed

File Change
packages/pluggableWidgets/rich-text-web/package.json js-beautify bumped from ^1.15.4 to ^2.0.3
packages/pluggableWidgets/rich-text-web/CHANGELOG.md ### Security entry added under [Unreleased]
pnpm-lock.yaml Transitive dependency updates from the major bump

Skipped (out of scope): dist/, pnpm-lock.yaml (except noting the transitive changes)


Findings

🔶 Medium — @types/js-beautify version mismatch after major bump

File: packages/pluggableWidgets/rich-text-web/package.json line 77
Problem: @types/js-beautify is pinned to ^1.14.3 but the runtime package is now 2.0.3. This is a major version bump; the type definitions for v1 may not accurately reflect the v2 API. Specifically, beautify.HTMLBeautifyOptions is referenced at src/components/ModalDialog/ViewCodeDialog.tsx:17 — if the type signature changed between v1 and v2, TypeScript will silently use the wrong types. This could cause runtime errors that aren't caught at build time.
Fix:

// package.json devDependencies
- "@types/js-beautify": "^1.14.3",
+ "@types/js-beautify": "^2.0.0",

Check if @types/js-beautify@2.x exists on npm first. If it does not, confirm the API shape in the v2 source and update the usage in ViewCodeDialog.tsx accordingly.


🔶 Medium — Major version bump has undocumented breaking changes; no functional test evidence provided

File: packages/pluggableWidgets/rich-text-web/package.json line 54
Problem: The upgrade from js-beautify@1.x to 2.x is a major version change. The existing PR description says "Existing unit and E2E tests pass" but no CI checks output is visible in this review context. Additionally, a reviewer comment (from the Snyk bot) specifically calls out that nopt, abbrev, commander, editorconfig, glob, and @one-ini/wasm are all being bumped to major versions with significantly raised Node.js requirements (Node ≥22 in some cases). The monorepo's minimum Node requirement and CI environment should be verified to meet these requirements before merging.
Fix: Confirm the following before merging:

  1. All CI checks (unit + E2E) are green for the rich-text-web package.
  2. The monorepo's Node version constraint (check root package.json engines field or CI runner configuration) is ≥22, or verify these transitive deps aren't affecting the Node.js minimum at runtime.
  3. Run a manual smoke test of the View Source / Code dialog in the Rich Text editor (the only code path using js-beautify) since that is the only consumer.

Positives

  • The changelog entry correctly uses the ### Security category under [Unreleased] per Keep a Changelog conventions — exactly the right format for a CVE fix.
  • The PR is tightly scoped: only the affected package and its lockfile are changed, with no unrelated modifications.
  • The CVE ID is included in the CHANGELOG entry, giving users clear traceability from the release notes to the vulnerability report.

@iobuhov iobuhov merged commit a817854 into main Jul 9, 2026
13 of 14 checks passed
@iobuhov iobuhov deleted the snyk-fix-34ac0efc38c844cc0708e9f52328b24e branch July 9, 2026 09:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants