Fix 5 open Dependabot npm alerts (dompurify, uuid)#1733

badrishc · 2026-04-24T16:01:44Z

Summary

Fixes all 5 open Dependabot security alerts in the website npm dependencies.

dompurify 3.3.3 → 3.4.0 (fixes 4 alerts)

Remove ifdefs from ClusterStress to fix build #82 ADD_TAGS function form bypasses FORBID_TAGS
Create IHeyReally #83 CVE-2026-41238: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING
Enhance Code Readability #84 CVE-2026-41240: FORBID_TAGS bypassed by function-based ADD_TAGS predicate
Plans for an IDistributedCache implementation? #85 CVE-2026-41239: SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode

uuid 8.3.2/11.1.0 → 14.0.0 (fixes 1 alert)

security-scan found error SCS0005: Weak random number generator #86 Missing buffer bounds check in v3/v5/v6 when buf is provided

Validation

yarn install succeeds
yarn build succeeds — website builds cleanly

Note on uuid 14.0.0

uuid 14 is ESM-only. The two consumers in the dependency tree are:

mermaid (previously uuid ^11.1.0) — ESM, compatible
sockjs (previously uuid ^8.3.2) — CJS, used only by webpack-dev-server during docusaurus start (dev mode). The sockjs code path only calls uuid.v4() which is unaffected by the vulnerability (v3/v5/v6 buffer bounds). If dev-server issues arise, the resolution can be scoped to mermaid/uuid only.

Copilot

Pull request overview

Updates the website’s Yarn-managed npm dependency graph to remediate Dependabot security alerts by pinning patched versions of vulnerable transitive packages.

Changes:

Bump dompurify to 3.4.0 via Yarn resolutions and lockfile update.
Force uuid to 14.0.0 via Yarn resolutions and lockfile update.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
website/package.json	Pins `dompurify` and `uuid` versions via Yarn `resolutions` to address security alerts.
website/yarn.lock	Updates the resolved versions/hashes for `dompurify` and `uuid` accordingly.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Bump dompurify resolution 3.3.3 → 3.4.0 to fix: - CVE-2026-41239: SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode - CVE-2026-41240: FORBID_TAGS bypassed by function-based ADD_TAGS - CVE-2026-41238: Prototype Pollution to XSS Bypass - GHSA: ADD_TAGS function form bypasses FORBID_TAGS Add uuid resolution → 14.0.0 to fix: - GHSA: Missing buffer bounds check in v3/v5/v6 when buf is provided uuid 14.0.0 is ESM-only but Node.js 22+ (required by engines) supports require() of ESM modules, so CJS consumers like sockjs work correctly. Verified: yarn build succeeds and docusaurus start launches cleanly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

badrishc · 2026-04-24T16:11:29Z

Thanks for the review! I investigated the scoped mermaid/**/uuid approach, but Yarn v1 doesn't actually apply it — the lockfile still resolved uuid@^11.1.0 to 11.1.0 with the scoped override.

However, the CJS compatibility concern is not an issue here because Node.js 22+ natively supports require() of ESM-only packages (the --experimental-require-module flag was removed and became default behavior). Since engines requires node >= 22, sockjs's require('uuid').v4 works fine with uuid 14.0.0.

I verified this:

node -e "const uuid = require('uuid'); console.log(uuid.v4());" → works ✅
yarn build → succeeds ✅
yarn start (dev server with sockjs/webpack-dev-server) → starts cleanly ✅

Updated to use the global uuid: 14.0.0 resolution since the scoped approach doesn't work with Yarn v1 and Node.js 22+ handles the ESM/CJS interop.

Bump dompurify resolution 3.3.3 → 3.4.0 to fix: - CVE-2026-41239: SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode - CVE-2026-41240: FORBID_TAGS bypassed by function-based ADD_TAGS - CVE-2026-41238: Prototype Pollution to XSS Bypass - GHSA: ADD_TAGS function form bypasses FORBID_TAGS Add uuid resolution → 14.0.0 to fix: - GHSA: Missing buffer bounds check in v3/v5/v6 when buf is provided uuid 14.0.0 is ESM-only but Node.js 22+ (required by engines) supports require() of ESM modules, so CJS consumers like sockjs work correctly. Verified: yarn build succeeds and docusaurus start launches cleanly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Bump the nuget-deps group with 14 updates (#1659) * Bump the nuget-deps group with 14 updates Bumps diskann-garnet from 1.0.23 to 1.0.25 Bumps Microsoft.CodeAnalysis from 5.0.0 to 5.3.0 Bumps Microsoft.Extensions.Configuration.Binder from 10.0.3 to 10.0.5 Bumps Microsoft.Extensions.Configuration.Json from 10.0.3 to 10.0.5 Bumps Microsoft.Extensions.Logging from 10.0.3 to 10.0.5 Bumps Microsoft.Extensions.Logging.Configuration from 10.0.3 to 10.0.5 Bumps Microsoft.Extensions.Logging.Console from 10.0.3 to 10.0.5 Bumps Microsoft.IdentityModel.Protocols.OpenIdConnect from 8.16.0 to 8.17.0 Bumps Microsoft.IdentityModel.Validators from 8.16.0 to 8.17.0 Bumps NUnit from 4.5.0 to 4.5.1 Bumps NUnit3TestAdapter from 6.1.0 to 6.2.0 Bumps StackExchange.Redis from 2.11.8 to 2.12.8 Bumps System.IdentityModel.Tokens.Jwt from 8.16.0 to 8.17.0 Bumps System.Numerics.Tensors from 10.0.3 to 10.0.5 --- updated-dependencies: - dependency-name: diskann-garnet dependency-version: 1.0.25 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nuget-deps - dependency-name: Microsoft.CodeAnalysis dependency-version: 5.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: nuget-deps - dependency-name: Microsoft.Extensions.Configuration.Binder dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nuget-deps - dependency-name: Microsoft.Extensions.Configuration.Json dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nuget-deps - dependency-name: Microsoft.Extensions.Logging dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nuget-deps - dependency-name: Microsoft.Extensions.Logging.Configuration dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nuget-deps - dependency-name: Microsoft.Extensions.Logging.Console dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nuget-deps - dependency-name: Microsoft.IdentityModel.Protocols.OpenIdConnect dependency-version: 8.17.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: nuget-deps - dependency-name: System.IdentityModel.Tokens.Jwt dependency-version: 8.17.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: nuget-deps - dependency-name: Microsoft.IdentityModel.Validators dependency-version: 8.17.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: nuget-deps - dependency-name: NUnit dependency-version: 4.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nuget-deps - dependency-name: NUnit3TestAdapter dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: nuget-deps - dependency-name: StackExchange.Redis dependency-version: 2.12.8 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: nuget-deps - dependency-name: System.Numerics.Tensors dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nuget-deps ... Signed-off-by: dependabot[bot] <support@github.com> * Update other required dependencies Signed-off-by: Tiago Napoli <tiagonapoli@microsoft.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Tiago Napoli <tiagonapoli@microsoft.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tiago Napoli <tiagonapoli@microsoft.com> * Bump follow-redirects from 1.15.11 to 1.16.0 in /website (#1705) Cherry-pick of dependabot security update from main. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix 5 open Dependabot npm alerts in website dependencies (#1733) Bump dompurify resolution 3.3.3 → 3.4.0 to fix: - CVE-2026-41239: SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode - CVE-2026-41240: FORBID_TAGS bypassed by function-based ADD_TAGS - CVE-2026-41238: Prototype Pollution to XSS Bypass - GHSA: ADD_TAGS function form bypasses FORBID_TAGS Add uuid resolution → 14.0.0 to fix: - GHSA: Missing buffer bounds check in v3/v5/v6 when buf is provided uuid 14.0.0 is ESM-only but Node.js 22+ (required by engines) supports require() of ESM modules, so CJS consumers like sockjs work correctly. Verified: yarn build succeeds and docusaurus start launches cleanly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Tiago Napoli <tiagonapoli@microsoft.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tiago Napoli <tiagonapoli@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI review requested due to automatic review settings April 24, 2026 16:01

Copilot started reviewing on behalf of badrishc April 24, 2026 16:02 View session

Copilot AI reviewed Apr 24, 2026

View reviewed changes

Comment thread website/package.json

badrishc mentioned this pull request Apr 24, 2026

Cherry-pick dependency updates from main to dev #1734

Merged

badrishc force-pushed the fix/dependabot-npm-alerts branch from 66d89a6 to 8c4eecf Compare April 24, 2026 16:11

vazois approved these changes Apr 24, 2026

View reviewed changes

badrishc merged commit da80f23 into main Apr 24, 2026
12 checks passed

badrishc deleted the fix/dependabot-npm-alerts branch April 24, 2026 16:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix 5 open Dependabot npm alerts (dompurify, uuid)#1733