Skip to content

[Snyk] Security upgrade js-beautify from 1.15.4 to 2.0.3#2301

Open
iobuhov wants to merge 3 commits into
mainfrom
snyk-fix-34ac0efc38c844cc0708e9f52328b24e
Open

[Snyk] Security upgrade js-beautify from 1.15.4 to 2.0.3#2301
iobuhov wants to merge 3 commits into
mainfrom
snyk-fix-34ac0efc38c844cc0708e9f52328b24e

Conversation

@iobuhov

@iobuhov iobuhov commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

  • packages/pluggableWidgets/rich-text-web/package.json
⚠️ Warning
Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Inefficient Algorithmic Complexity
SNYK-JS-BRACEEXPANSION-17706650
  721  

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@iobuhov

iobuhov commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator Author

Merge Risk: High

This major version upgrade introduces significant environmental requirements that are likely to be breaking.

Breaking Changes:

  • Node.js Requirement: The minimum required version of Node.js has been raised to v22.x. This is a substantial jump from the v14 requirement in the 1.14.x series and will likely require a major environment upgrade.
  • Python Support: Support for Python 2 has been completely removed.

Recommendation:
Given the jump to a very recent version of Node.js, proceed with caution. Verify that your development and production environments meet the new Node.js v22 requirement before upgrading. If you are using the Python package, ensure you are on Python 3.

Source: GitHub CHANGELOG

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@iobuhov iobuhov requested a review from a team as a code owner July 2, 2026 13:48
rahmanunver
rahmanunver previously approved these changes Jul 2, 2026
@github-actions

This comment has been minimized.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@github-actions

This comment has been minimized.

…date

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

AI Code Review

🔶 Changes requested — one or more medium-severity items must be addressed


What was reviewed

File Change
packages/pluggableWidgets/rich-text-web/package.json Bumps js-beautify from ^1.15.4 to ^2.0.3 to fix SNYK-JS-BRACEEXPANSION-17706650
packages/pluggableWidgets/rich-text-web/CHANGELOG.md Adds ### Security entry under [Unreleased]
pnpm-lock.yaml Reviewed for transitive dependency context only

Skipped (out of scope): pnpm-lock.yaml lockfile detail


Findings

🔶 Medium — @types/js-beautify still pinned to v1 types while runtime is v2

File: packages/pluggableWidgets/rich-text-web/package.json line 77
Problem: @types/js-beautify is ^1.14.3 but the runtime dependency is now ^2.0.3. ViewCodeDialog.tsx uses beautify.HTMLBeautifyOptions as a type and calls beautify.html(...). If v2 renames or removes any option keys (e.g. indent_scripts, indent_inner_html) the TypeScript compiler will silently continue to validate against the v1 type definitions, masking incompatibilities that only surface at runtime.
Fix: Update the type package to match v2, or confirm that js-beautify v2 ships its own type declarations (making the separate @types package unnecessary). Then re-run pnpm --filter @mendix/rich-text-web build and fix any TypeScript errors.


🔶 Medium — Lockfile contains unexpected transitive upgrades; may not be a clean pnpm install output

File: pnpm-lock.yaml
Problem: The Snyk PR description warns "Failed to update the pnpm-lock.yaml, please update manually before merging." The committed lockfile diff includes packages that are not direct dependencies of the js-beautify upgrade path alone: abbrev (2.0.0 → 5.0.0), commander (10.0.1 → 14.0.3), nopt (7.2.1 → 10.0.1), editorconfig (1.0.7 → 3.0.2), @one-ini/wasm (0.1.1 → 0.2.1), and a new glob@13.0.6 entry. A manually patched lockfile can hide duplicate installs, stale peer resolutions, or mismatched version trees.
Fix: Regenerate the lockfile with a clean install and confirm a single resolved version:

pnpm install
pnpm why js-beautify   # should show only 2.0.3
git diff pnpm-lock.yaml  # verify only js-beautify and its direct transitive deps changed

⚠️ Low — Breaking change risk from major version bump not validated against current BEAUTIFY_OPTIONS

File: packages/pluggableWidgets/rich-text-web/src/components/ModalDialog/ViewCodeDialog.tsx line 17
Note: js-beautify@2.x is a major version bump. The options object { indent_scripts: "normal", indent_inner_html: false, ... } should be verified against the v2 changelog and options reference. Run pnpm --filter @mendix/rich-text-web test and manually exercise the View/Edit Code dialog to confirm beautify.html still formats correctly with these options before merging.


Positives

  • CHANGELOG entry is present, correctly placed under [Unreleased] ### Security, and directly references the CVE identifier — exactly the right format.
  • Usage of js-beautify is isolated to a single file (ViewCodeDialog.tsx), keeping the blast radius of any API incompatibility small and easy to test.
  • The lockfile does resolve js-beautify to 2.0.3 and updates all of its direct transitive dependencies (editorconfig, glob, nopt).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants