From 7c79602c7721c3ec2af9203ce718989bf15f163e Mon Sep 17 00:00:00 2001
From: guptas6est <sanaya.gupta@est.tech>
Date: Thu, 12 Mar 2026 11:04:26 +0000
Subject: [PATCH] fix(web): upgrade lodash to 4.17.23 and dompurify to 3.3.2 to
 fix CVE-2026-0540 and CVE-2025-13465 (#13488)

### What problem does this PR solve?

This PR fixes two security vulnerabilities in web dependencies
identified by Trivy:

1. CVE-2025-13465 (lodash): Prototype pollution vulnerability in _.unset
and _.omit functions
2. CVE-2026-0540 (dompurify): Cross-site scripting (XSS) vulnerability

**Changes:**
- Upgraded lodash from 4.17.21 to 4.17.23
- Upgraded dompurify from 3.3.1 to 3.3.2
- Added npm override to force monaco-editor's transitive dependency on
dompurify to use 3.3.2 (monaco-editor still depends on vulnerable 3.2.7)

Both upgrades are backward-compatible patch versions. Build verified
successfully with no breaking changes.

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
---
 web/package-lock.json | 35 ++++++++++++++---------------------
 web/package.json      |  9 ++++++---
 2 files changed, 20 insertions(+), 24 deletions(-)

diff --git a/web/package-lock.json b/web/package-lock.json
index 4e6406fd01..811fd580c5 100644
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -60,7 +60,7 @@
         "clsx": "^2.1.1",
         "cmdk": "^1.0.4",
         "dayjs": "^1.11.10",
-        "dompurify": "^3.1.6",
+        "dompurify": "^3.3.2",
         "embla-carousel-react": "^8.6.0",
         "eventsource-parser": "^1.1.2",
         "human-id": "^4.1.1",
@@ -72,7 +72,7 @@
         "jsencrypt": "^3.3.2",
         "jsoneditor": "^10.4.2",
         "lexical": "^0.23.1",
-        "lodash": "^4.17.21",
+        "lodash": "^4.17.23",
         "lucide-react": "^0.546.0",
         "mammoth": "^1.7.2",
         "next-themes": "^0.4.6",
@@ -12829,10 +12829,13 @@
       "license": "MIT"
     },
     "node_modules/dompurify": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmmirror.com/dompurify/-/dompurify-3.3.1.tgz",
-      "integrity": "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==",
+      "version": "3.3.2",
+      "resolved": "https://registry.npmmirror.com/dompurify/-/dompurify-3.3.2.tgz",
+      "integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==",
       "license": "(MPL-2.0 OR Apache-2.0)",
+      "engines": {
+        "node": ">=20"
+      },
       "optionalDependencies": {
         "@types/trusted-types": "^2.0.7"
       }
@@ -18509,15 +18512,15 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.21",
-      "resolved": "https://registry.npmmirror.com/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
+      "version": "4.17.23",
+      "resolved": "https://registry.npmmirror.com/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
       "license": "MIT"
     },
     "node_modules/lodash-es": {
-      "version": "4.17.22",
-      "resolved": "https://registry.npmmirror.com/lodash-es/-/lodash-es-4.17.22.tgz",
-      "integrity": "sha512-XEawp1t0gxSi9x01glktRZ5HDy0HXqrM0x5pXQM98EaI0NxO6jVM7omDOxsuEo5UIASAnm2bRp1Jt/e0a2XU8Q==",
+      "version": "4.17.23",
+      "resolved": "https://registry.npmmirror.com/lodash-es/-/lodash-es-4.17.23.tgz",
+      "integrity": "sha512-kVI48u3PZr38HdYz98UmfPnXl2DXrpdctLrFLCd3kOx1xUkOmpFPx7gCWWM5MPkL/fD8zb+Ph0QzjGFs4+hHWg==",
       "license": "MIT"
     },
     "node_modules/lodash.debounce": {
@@ -20122,16 +20125,6 @@
         "marked": "14.0.0"
       }
     },
-    "node_modules/monaco-editor/node_modules/dompurify": {
-      "version": "3.2.7",
-      "resolved": "https://registry.npmmirror.com/dompurify/-/dompurify-3.2.7.tgz",
-      "integrity": "sha512-WhL/YuveyGXJaerVlMYGWhvQswa7myDG17P7Vu65EWC05o8vfeNbvNf4d/BOvH99+ZW+LlQsc1GDKMa1vNK6dw==",
-      "license": "(MPL-2.0 OR Apache-2.0)",
-      "peer": true,
-      "optionalDependencies": {
-        "@types/trusted-types": "^2.0.7"
-      }
-    },
     "node_modules/mri": {
       "version": "1.2.0",
       "resolved": "https://registry.npmmirror.com/mri/-/mri-1.2.0.tgz",
diff --git a/web/package.json b/web/package.json
index 40c30f134c..439097982b 100644
--- a/web/package.json
+++ b/web/package.json
@@ -20,7 +20,10 @@
     ]
   },
   "overrides": {
-    "@radix-ui/react-dismissable-layer": "1.1.4"
+    "@radix-ui/react-dismissable-layer": "1.1.4",
+    "monaco-editor": {
+      "dompurify": "3.3.2"
+    }
   },
   "dependencies": {
     "@ant-design/icons": "^5.2.6",
@@ -76,7 +79,7 @@
     "clsx": "^2.1.1",
     "cmdk": "^1.0.4",
     "dayjs": "^1.11.10",
-    "dompurify": "^3.1.6",
+    "dompurify": "^3.3.2",
     "embla-carousel-react": "^8.6.0",
     "eventsource-parser": "^1.1.2",
     "human-id": "^4.1.1",
@@ -88,7 +91,7 @@
     "jsencrypt": "^3.3.2",
     "jsoneditor": "^10.4.2",
     "lexical": "^0.23.1",
-    "lodash": "^4.17.21",
+    "lodash": "^4.17.23",
     "lucide-react": "^0.546.0",
     "mammoth": "^1.7.2",
     "next-themes": "^0.4.6",