[Snyk] Fix for 3 vulnerabilities

[rubenfiszel]

Snyk has created this PR to fix 3 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• frontend/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue
	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-15810938
	Prototype Pollution SNYK-JS-DOMPURIFY-15874903
	Permissive List of Allowed Inputs SNYK-JS-DOMPURIFY-15874905

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Prototype Pollution

---

Summary by cubic

Upgrade @codingame/monaco-vscode-languages-service-override to 27.0.0 in frontend/package.json to resolve three transitive DOMPurify vulnerabilities (XSS, prototype pollution, permissive allowlist). This reduces editor XSS risk and may include breaking changes from v27.

• Dependencies

  • @codingame/monaco-vscode-languages-service-override: 25.0.0 → 27.0.0 (fixes SNYK-JS-DOMPURIFY-15810938, SNYK-JS-DOMPURIFY-15874903, SNYK-JS-DOMPURIFY-15874905)

• Migration

  • Verify editor language features and sanitization in affected views; run build/e2e checks.
  • If issues appear with other @codingame/monaco-vscode-* packages pinned at 25.0.0, align versions to a compatible set.

^{Written for commit 2c06111. Summary will update on new commits.}

[cloudflare-workers-and-pages]

Deploying windmill with    Cloudflare Pages

Latest commit:	2c06111
Status:	✅  Deploy successful!
Preview URL:	https://8b78f167.windmill.pages.dev
Branch Preview URL:	https://snyk-fix-7cc69a12e7e0b8f8ac5.windmill.pages.dev

View logs

[claude]

Claude finished @rubenfiszel's task in 57s —— View job

---

Review: Snyk Security Fix PR

• Review the diff and changed dependencies
• Check for breaking changes and compatibility
• Post review feedback

Summary

This PR upgrades @codingame/monaco-vscode-languages-service-override from 25.0.0 to 27.0.0 to fix 3 DOMPurify vulnerabilities (XSS, Prototype Pollution, Permissive List of Allowed Inputs).

Issues Found

Version mismatch — high risk of runtime errors

All @codingame/monaco-vscode-* packages in this project are pinned to =25.0.0 (exact version). This PR bumps only one of them (languages-service-override) to 27.0.0, creating a version mismatch:

Package	Current (this PR)
@codingame/monaco-vscode-editor-api	=25.0.0
@codingame/monaco-vscode-languages-service-override	27.0.0
@codingame/monaco-vscode-standalone-css-language-features	=25.0.0
@codingame/monaco-vscode-standalone-html-language-features	=25.0.0
@codingame/monaco-vscode-standalone-json-language-features	=25.0.0
@codingame/monaco-vscode-standalone-languages	=25.0.0
@codingame/monaco-vscode-standalone-typescript-language-features	=25.0.0
monaco-editor (alias for monaco-vscode-editor-api)	=25.0.0
vscode (alias for monaco-vscode-extension-api)	=25.0.0

These packages are part of the same monorepo and are designed to be used at the same version. Mixing 27.0.0 with 25.0.0 will very likely cause peer dependency conflicts and runtime incompatibilities in the Monaco editor integration.

Additionally, the = exact pin was removed (now 27.0.0 instead of =27.0.0), which is inconsistent with the pinning strategy used for all other @codingame packages.

Also note from the Snyk metadata: it originally intended to also upgrade @codingame/monaco-vscode-extension-api from 25.0.0 to 27.0.0, but only the languages-service-override line was actually changed — suggesting the automated fix was incomplete.

Recommendation

Do not merge as-is. Either:

1. Upgrade all @codingame/monaco-vscode-* packages to 27.0.0 together (requires testing the Monaco editor for regressions), or
2. Find which transitive dependency pulls in the vulnerable DOMPurify and see if it can be addressed via an overrides/resolutions entry in package.json without bumping the Monaco packages.

Testing Instructions

To verify the Monaco editor still works: open any script in the Windmill app editor (e.g., create a new Script), confirm the code editor loads correctly with syntax highlighting, autocompletion, and language features (TypeScript, Python, SQL, etc.). Also test the app builder's code editor components.

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="frontend/package.json">

<violation number="1" location="frontend/package.json:89">
P1: This package is upgraded to 27.0.0 while all other `@codingame/monaco-vscode-*` siblings remain at `=25.0.0`. These packages come from the same monorepo and require version alignment — mixing major versions will almost certainly cause runtime errors (mismatched internal APIs/types).

Additionally, the exact-pin `=` prefix was dropped. Every other sibling uses `=X.Y.Z` for exact pinning; `27.0.0` without `=` is a semver range. If this upgrade is intended, all `@codingame/monaco-vscode-*` packages (and the `monaco-editor` alias) should be bumped to `=27.0.0` together.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P1: This package is upgraded to 27.0.0 while all other @codingame/monaco-vscode-* siblings remain at =25.0.0. These packages come from the same monorepo and require version alignment — mixing major versions will almost certainly cause runtime errors (mismatched internal APIs/types).

Additionally, the exact-pin = prefix was dropped. Every other sibling uses =X.Y.Z for exact pinning; 27.0.0 without = is a semver range. If this upgrade is intended, all @codingame/monaco-vscode-* packages (and the monaco-editor alias) should be bumped to =27.0.0 together.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At frontend/package.json, line 89:

<comment>This package is upgraded to 27.0.0 while all other `@codingame/monaco-vscode-*` siblings remain at `=25.0.0`. These packages come from the same monorepo and require version alignment — mixing major versions will almost certainly cause runtime errors (mismatched internal APIs/types).

Additionally, the exact-pin `=` prefix was dropped. Every other sibling uses `=X.Y.Z` for exact pinning; `27.0.0` without `=` is a semver range. If this upgrade is intended, all `@codingame/monaco-vscode-*` packages (and the `monaco-editor` alias) should be bumped to `=27.0.0` together.</comment>

<file context>
@@ -86,7 +86,7 @@
 		"@aws-crypto/sha256-js": "^4.0.0",
 		"@codingame/monaco-vscode-editor-api": "=25.0.0",
-		"@codingame/monaco-vscode-languages-service-override": "=25.0.0",
+		"@codingame/monaco-vscode-languages-service-override": "27.0.0",
 		"@codingame/monaco-vscode-standalone-css-language-features": "=25.0.0",
 		"@codingame/monaco-vscode-standalone-html-language-features": "=25.0.0",
</file context>