[Snyk] Security upgrade dompurify from 2.4.5 to 2.5.4

[q1blue]

---

EntelligenceAI PR Summary

Updates the DOMPurify HTML sanitization library in the gcalendar plugin to address security and stability improvements.

• Bumped dompurify from ^2.3.6 to ^2.5.4 in plugins/gcalendar/package.json
• Minor version update includes bug fixes and security patches
• Maintains compatibility with future 2.x releases through caret versioning

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[restack-app]

No applications have been configured for previews targeting branch: master. To do so go to restack console and configure your applications for previews.

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[snyk-io]

⛔ Snyk checks have failed. 83 issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (83)
⛔	Open Source Security	16	25	37	5	83 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[entelligence-ai-pr-reviews]

🔒 Entelligence AI Vulnerability Scanner

✅ No security vulnerabilities found!

Your code passed our comprehensive security analysis.

---

[entelligence-ai-pr-reviews]

Walkthrough

This PR updates the DOMPurify dependency in the Google Calendar plugin from version 2.3.6 to version 2.5.4. DOMPurify is a critical security library used for sanitizing HTML content to prevent Cross-Site Scripting (XSS) attacks. This targeted update addresses potential security vulnerabilities while maintaining all other dependencies at their current versions, enhancing the overall security posture of the gcalendar plugin without introducing broader dependency changes.

Changes

File(s)	Summary
plugins/gcalendar/package.json	Updated dompurify dependency from version 2.3.6 to version 2.5.4 while maintaining all other dependencies at their current versions.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    title GCalendar Plugin DOMPurify Usage Flow
    
    participant User
    participant GCalendar as "GCalendar Plugin"
    participant DOMPurify as "DOMPurify v2.5.4"
    participant DOM as "DOM"
    
    User->>GCalendar: Interact with calendar
    Note over GCalendar: Plugin receives potentially<br/>unsafe HTML content
    
    GCalendar->>DOMPurify: sanitize(htmlContent)
    activate DOMPurify
    DOMPurify-->>GCalendar: Return sanitized HTML
    deactivate DOMPurify
    
    GCalendar->>DOM: Render sanitized content
    DOM-->>User: Display safe content
    
    Note over GCalendar,DOMPurify: Version updated from 2.3.6 to 2.5.4<br/>for security improvements

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[entelligence-ai-pr-reviews]

LGTM 👍

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[entelligence-ai-pr-reviews]

Walkthrough

This PR updates the DOMPurify dependency in the Google Calendar plugin from version 2.3.6 to version 2.5.4. DOMPurify is a critical security library used for sanitizing HTML content to prevent Cross-Site Scripting (XSS) attacks. This targeted update addresses potential security vulnerabilities while maintaining all other dependencies at their current versions, enhancing the overall security posture of the gcalendar plugin without introducing broader dependency changes.

Changes

File(s)	Summary
plugins/gcalendar/package.json	Updated dompurify dependency from version 2.3.6 to version 2.5.4 while maintaining all other dependencies at their current versions.

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[entelligence-ai-pr-reviews]

LGTM 👍

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[entelligence-ai-pr-reviews]

📝 Walkthrough

This PR addresses a critical security vulnerability in the Google Calendar plugin by updating the DOMPurify dependency from version 2.3.6 to 2.5.4. The update specifically fixes CVE-2024-45801, a high-severity XSS vulnerability (CVSS 7.3) that could allow attackers to bypass DOMPurify's sanitization through special nesting techniques and prototype pollution.

The change is minimal and focused solely on updating the dependency version in the package.json file. The current implementation in CalendarEventPopoverContent.tsx already follows security best practices by properly sanitizing HTML content from Google Calendar event descriptions before rendering.

📊 Changes

File	Change
plugins/gcalendar/package.json	Updated DOMPurify dependency from ^2.3.6 to ^2.5.4

---

🔒 Security Highlights

• 🔒 Fixed CVE-2024-45801: High-severity XSS vulnerability in DOMPurify that could bypass depth checking
• 🔒 Current implementation in CalendarEventPopoverContent.tsx already follows best practices:
  • Properly sanitizes HTML with DOMPurify.sanitize() before using dangerouslySetInnerHTML
  • Uses secure configuration with USE_PROFILES: { html: true }
• 🔒 Low deployment risk: No breaking changes expected as update is within same major version

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    title DOMPurify Usage in Google Calendar Plugin
    
    participant User
    participant Calendar as "Calendar Component"
    participant EventRenderer as "Event Renderer"
    participant DOMPurify as "DOMPurify v2.5.4"
    participant DOM as "Browser DOM"
    
    User->>Calendar: View calendar events
    activate Calendar
    
    Calendar->>EventRenderer: Render event details
    activate EventRenderer
    
    Note over EventRenderer: Event may contain HTML from<br/>external Google Calendar data
    
    EventRenderer->>DOMPurify: sanitize(eventHTML)
    activate DOMPurify
    
    Note over DOMPurify: Sanitizes HTML to prevent XSS<br/>Version updated from 2.3.6 to 2.5.4
    
    DOMPurify-->>EventRenderer: Return sanitized HTML
    deactivate DOMPurify
    
    EventRenderer->>DOM: Insert sanitized content
    EventRenderer-->>Calendar: Event rendered safely
    deactivate EventRenderer
    
    Calendar-->>User: Display sanitized calendar events
    deactivate Calendar

Loading

🔒 Security Analysis

• Vulnerabilities: 0
• Bugs: 0
• Code Smells: 0
• Security Hotspots: 0

Caution

1 comment is outside the diff range and can't be posted inline due to platform limitations.

⚠️ View Outside Diff Range Comments (1)

🟡 Medium Medium Priority  ·  1 issue

plugins/gcalendar/src/components/CalendarCard/CalendarEventPopoverContent.test.tsx  ·  1 comment

1. Lines entire file · Security

Lack of specific security tests for XSS prevention with malicious HTML content in the calendar plugin

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[entelligence-ai-pr-reviews]

Security: Outdated DOMPurify dependency (v2.3.6) with known XSS vulnerability (CVE-2024-45801) that could allow attackers to bypass sanitization through special nesting techniques and prototype pollution

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[entelligence-ai-pr-reviews]

Walkthrough

This pull request updates the dompurify dependency in the gcalendar plugin from version 2.3.6 to 2.5.4. DOMPurify is an HTML sanitization library used to prevent XSS attacks by cleaning user-supplied HTML content. This minor version update likely includes important bug fixes, security patches, and improvements to the sanitization logic. The caret (^) prefix in the version specification ensures that future compatible patch and minor releases within the 2.x range will be automatically accepted, maintaining backward compatibility while receiving ongoing security updates.

Changes

File(s)	Summary
plugins/gcalendar/package.json	Updated dompurify dependency from version ^2.3.6 to ^2.5.4 to include bug fixes and security patches.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant App as GCalendar Plugin
    participant DOMPurify as DOMPurify Library (v2.5.4)
    participant HTML as HTML Content
    
    Note over App,DOMPurify: Dependency version updated from 2.3.6 to 2.5.4
    
    App->>HTML: Receive HTML content from calendar data
    App->>DOMPurify: sanitize(htmlContent)
    activate DOMPurify
    DOMPurify->>DOMPurify: Parse and clean HTML
    DOMPurify-->>App: Return sanitized HTML
    deactivate DOMPurify
    App->>App: Render safe HTML content
    
    Note over App,DOMPurify: No architectural changes<br/>Same interaction pattern with updated library version

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[entelligence-ai-pr-reviews]

Walkthrough

This pull request updates the dompurify dependency in the gcalendar plugin from version 2.3.6 to 2.5.4. DOMPurify is an HTML sanitization library used to prevent XSS attacks by cleaning user-supplied HTML content. This minor version update likely includes important bug fixes, security patches, and improvements to the sanitization logic. The caret (^) prefix in the version specification ensures that future compatible patch and minor releases within the 2.x range will be automatically accepted, maintaining backward compatibility while receiving ongoing security updates.

Changes

File(s)	Summary
plugins/gcalendar/package.json	Updated dompurify dependency from version ^2.3.6 to ^2.5.4 to include bug fixes and security patches.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant App as GCalendar Plugin
    participant DP as DOMPurify Library
    
    Note over App,DP: Dependency Version Update: 2.3.6 → 2.5.4
    Note over App,DP: No changes to component interactions
    
    App->>DP: sanitize(htmlContent)
    activate DP
    DP-->>App: sanitizedHTML
    deactivate DP
    
    Note over App,DP: Usage pattern remains unchanged<br/>Only library version updated

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[entelligence-ai-pr-reviews]

Walkthrough

This pull request updates the dompurify dependency in the gcalendar plugin from version 2.3.6 to 2.5.4. DOMPurify is an HTML sanitization library used to prevent XSS attacks by cleaning user-supplied HTML content. This minor version update likely includes important bug fixes, security patches, and improvements to the sanitization logic. The caret (^) prefix in the version specification ensures that future compatible patch and minor releases within the 2.x range will be automatically accepted, maintaining backward compatibility while receiving ongoing security updates.

Changes

File(s)	Summary
plugins/gcalendar/package.json	Updated dompurify dependency from version ^2.3.6 to ^2.5.4 to include bug fixes and security patches.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant App as GCalendar Plugin
    participant DOMPurify as DOMPurify Library (v2.5.4)
    participant HTML as HTML Content
    
    Note over App,DOMPurify: Dependency version updated from 2.3.6 to 2.5.4
    
    App->>HTML: Receive HTML content from calendar data
    App->>DOMPurify: sanitize(htmlContent)
    activate DOMPurify
    DOMPurify->>DOMPurify: Parse and clean HTML
    DOMPurify-->>App: Return sanitized HTML
    deactivate DOMPurify
    App->>App: Render safe HTML content
    
    Note over App,DOMPurify: No architectural changes<br/>Same interaction pattern with updated library version

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!