Skip to content

[Snyk] Security upgrade prosemirror-dev-tools from 3.1.0 to 4.3.0#978

Closed
posit-snyk-bot wants to merge 1 commit into
mainfrom
snyk-fix-57796e0083af2cdae9917b6433e3d308
Closed

[Snyk] Security upgrade prosemirror-dev-tools from 3.1.0 to 4.3.0#978
posit-snyk-bot wants to merge 1 commit into
mainfrom
snyk-fix-57796e0083af2cdae9917b6433e3d308

Conversation

@posit-snyk-bot

Copy link
Copy Markdown
Contributor

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • packages/editor/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning
Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Prototype Pollution
SNYK-JS-JSONDIFFPATCH-16322990
  200  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

@posit-snyk-bot

posit-snyk-bot commented May 15, 2026

Copy link
Copy Markdown
Contributor Author

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@juliasilge juliasilge closed this Jul 17, 2026
@juliasilge juliasilge reopened this Jul 17, 2026
@juliasilge

Copy link
Copy Markdown
Collaborator

I'm going to close this one without merging it.

This PR bumps prosemirror-dev-tools 3.1.0 to 4.3.0 to pull in a patched jsondiffpatch (the actual advisory, SNYK-JS-JSONDIFFPATCH-16322990, is in jsondiffpatch, reached transitively via editor -> prosemirror-dev-tools@3.1.0 -> jsondiffpatch@^0.4.1). The fix only lands in jsondiffpatch 0.7.2+, which has no counterpart in the 0.4.x line, so this genuinely requires the prosemirror-dev-tools v3 to v4 major bump. Snyk itself flagged this as a breaking change and could not update yarn.lock.

I'm advocating for us to decline this one for now because the real-world exploitability is very low:

  • prosemirror-dev-tools is a developer debugging panel, only invoked through Editor.enableDevTools() behind the "Enable Dev Tools" command (Ctrl+Alt+P). It is not part of any normal editing workflow.
  • When it does run, it diffs the editor's own ProseMirror state, which is trusted local data, not attacker-controlled input, so the prototype-pollution path is not reachable from untrusted content.

The dependency does ship in the extension bundle (the visual editor depends on packages/editor), so this could trigger customer security scans. If that becomes an issue and we want to fully clear it later, the options are a proper prosemirror-dev-tools v4 bump (with @types and lockfile work), or making applyDevTools a dynamic import / gating the command out of the shipped build so the dependency drops out of the bundle entirely.

Let me know if you disagree, @cscheid.

@juliasilge juliasilge closed this Jul 17, 2026
@cscheid

cscheid commented Jul 17, 2026

Copy link
Copy Markdown
Member

I like and agree with your call.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants