Skip to content

[release-1.9] chore(deps): patches dompurify for CVE-2026-41240#5035

Open
alizard0 wants to merge 4 commits into
redhat-developer:release-1.9from
alizard0:RHIDP-13315-1
Open

[release-1.9] chore(deps): patches dompurify for CVE-2026-41240#5035
alizard0 wants to merge 4 commits into
redhat-developer:release-1.9from
alizard0:RHIDP-13315-1

Conversation

@alizard0

@alizard0 alizard0 commented Jun 30, 2026

Copy link
Copy Markdown
Member

Fixes CVE-2026-41240 by patching dompurify to 3.40 or higher using surgeon.
https://redhat.atlassian.net/browse/RHIDP-13315

Upstream work: microsoft/vscode#318354 and microsoft/vscode#320010

CVE-2026-41240 dompurify
  patch: 3.4.0
  affected: < 3.4.0
root@1.9.6 /Users/alizardo/Documents/engineering/github/rhdh
└─┬ app@1.0.1 -> ./packages/app
  └─┬ @backstage/plugin-api-docs@0.13.1
    ├─┬ @asyncapi/react-component@2.6.3
    │ └─┬ isomorphic-dompurify@2.22.0
    │   └── dompurify@3.2.6 deduped
    └─┬ swagger-ui-react@5.30.3
      └── dompurify@3.2.6
Upgrading dependency with yarn-lockfile-surgeon → dompurify@3.4.0 ...
root@1.9.6 /Users/alizardo/Documents/engineering/github/rhdh
└─┬ app@1.0.1 -> ./packages/app
  └─┬ @backstage/plugin-api-docs@0.13.1
    ├─┬ @asyncapi/react-component@2.6.3
    │ └─┬ isomorphic-dompurify@2.22.0
    │   └── dompurify@3.4.0
    └─┬ swagger-ui-react@5.30.3
      └── dompurify@3.2.6

CVE-2026-41240 dompurify
  patch: 3.4.0
  affected: < 3.4.0
dynamic-plugins-root@1.9.6 /Users/alizardo/Documents/engineering/github/rhdh/dynamic-plugins
├─┬ backstage-plugin-techdocs@1.16.0 -> ./wrappers/backstage-plugin-techdocs
│ └─┬ @backstage/plugin-techdocs@1.16.0
│   └── dompurify@3.3.1
└─┬ red-hat-developer-hub-backstage-plugin-extensions@0.14.3 -> ./wrappers/red-hat-developer-hub-backstage-plugin-extensions
  └─┬ @red-hat-developer-hub/backstage-plugin-extensions@0.14.4
    └─┬ monaco-editor@0.55.1
      └── dompurify@3.2.7
Upgrading dependency with yarn-lockfile-surgeon → dompurify@3.4.0 ...
dynamic-plugins-root@1.9.6 /Users/alizardo/Documents/engineering/github/rhdh/dynamic-plugins
├─┬ backstage-plugin-techdocs@1.16.0 -> ./wrappers/backstage-plugin-techdocs
│ └─┬ @backstage/plugin-techdocs@1.16.0
│   └── dompurify@3.4.0
└─┬ red-hat-developer-hub-backstage-plugin-extensions@0.14.3 -> ./wrappers/red-hat-developer-hub-backstage-plugin-extensions
  └─┬ @red-hat-developer-hub/backstage-plugin-extensions@0.14.4
    └─┬ monaco-editor@0.55.1
      └── dompurify@3.2.7

@github-actions

Copy link
Copy Markdown
Contributor

Image was built and published successfully. It is available at:

Comment thread yarn.lock Outdated
linkType: hard

"dompurify@npm:=3.2.6, dompurify@npm:^3.2.4":
"dompurify@npm:=3.2.6":

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still pinned. Can we update it?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated.

@alizard0

alizard0 commented Jul 3, 2026

Copy link
Copy Markdown
Member Author

Dompurify is a false-positive:

  1. In monaco-editor, dompurify is bundled directly into the source code at build time, it appears in the package.json only for dependency tracking.
  2. Monaco-editor does not use the speicifc vulnerable code paths or APIs reported by this CVE.
  3. There is an upstream fix already merged into VSCode codebase which will be propagated soon to monaco-editor-core.
  4. No seucirty risk to rhdh

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

The container image build and publish workflows were skipped (either due to [skip-build] tag or no relevant changes with existing image).

@alizard0 alizard0 requested a review from kim-tsao July 3, 2026 13:21
@JessicaJHee JessicaJHee changed the title chore(deps): patches dompurify for CVE-2026-41240 [release-1.9] chore(deps): patches dompurify for CVE-2026-41240 Jul 7, 2026
@JessicaJHee

Copy link
Copy Markdown
Member

/test e2e-ocp-helm

@sonarqubecloud

sonarqubecloud Bot commented Jul 7, 2026

Copy link
Copy Markdown

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Image was built and published successfully. It is available at:

@JessicaJHee

Copy link
Copy Markdown
Member

/test e2e-ocp-helm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants