WEB-281 npm audit indicates 2 severe security issues

[Varun789-mx]

Description

Resolved critical security vulnerabilities identified by npm audit related to CKEditor5. The audit reported an XSS (Cross-Site Scripting) vulnerability in the clipboard package affecting CKEditor5 versions 40.0.0 through 43.1.0. Downgraded @ckeditor/ckeditor5-build-classic to version 39.0.2 as recommended by npm audit to eliminate the security risk while maintaining editor functionality.

No new dependencies added. This change modifies the existing CKEditor5 dependency version.

Related issues and discussion

WEB-281

Screenshots, if any

Not required as this is a dependency security fix.

Checklist

Please make sure these boxes are checked before submitting your pull request - thanks!

• If you have multiple commits please combine them into one commit by squashing them.
• Read and understood the contribution guidelines at web-app/.github/CONTRIBUTING.md.

Summary by CodeRabbit

• Chores
  • Updated Angular Build to patch version 19.2.17.
  • Adjusted CKEditor version constraint to a caret-prefixed range.

[coderabbitai]

Walkthrough

Updates two package dependencies in package.json: changes "@ckeditor/ckeditor5-build-classic" from exact version "40.2.0" to caret-constrained "^39.0.2", and bumps "@angular/build" from "^19.2.15" to "^19.2.17" in both dependencies and devDependencies.

Changes

Cohort / File(s)	Summary
Dependency Version Updates package.json	CKEditor 5 downgraded from 40.2.0 (exact) to ^39.0.2 (caret-prefixed); @angular/build patch version bumped from ^19.2.15 to ^19.2.17 in both dependencies and devDependencies

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Consider verifying the rationale for CKEditor version constraint change (downgrade from 40.x to 39.x with caret prefix may indicate compatibility or feature concerns)

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "WEB-281 npm audit indicates 2 severe security issues" is fully related to the main objective of the changeset. The PR's primary purpose is to resolve critical security vulnerabilities reported by npm audit, specifically an XSS vulnerability in CKEditor5's clipboard package, by downgrading @ckeditor/ckeditor5-build-classic to version 39.0.2. The title accurately captures the reason for the dependency changes and is clear and specific enough that a teammate scanning history would immediately understand this is addressing security concerns. The title is concise and avoids vague terminology while directly connecting to the actionable changes in package.json.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 28c8f7b and 20a7b9c.

📒 Files selected for processing (1)

• package.json (2 hunks)

🔇 Additional comments (2)

package.json (2)

78-78: Clarify the intent behind the @angular/build bump.

The patch-level bump from ^19.2.15 to ^19.2.17 appears unrelated to the security fix described in the PR objectives (WEB-281, CKEditor5 XSS). Patch updates within the same minor version are typically safe, but they should be part of a separate, intentional update unless explicitly required for the security fix.

Please clarify: Is this @angular/build bump intentional and part of the security fix, or should it be deferred to a separate maintenance PR? If intentional, confirm no breaking changes or build-tool incompatibilities are introduced (e.g., with @angular/cli 19.2.15 remaining unchanged).

---

47-47: Downgrade to CKEditor5 v39.0.2 is secure and addresses the XSS vulnerability.

Verification confirms v39.0.2 exists and has no known security advisories. All documented vulnerabilities affect versions 40.0.0–43.1.0 only, so this downgrade successfully mitigates the XSS issue.

Please verify that editor functionality is fully retained in your test/staging environment:

• All plugins and toolbar features work as expected
• No breaking changes or feature regressions occur
• Custom configurations remain compatible

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[steinwinde]

Hi @Varun789-mx , sorry to say, but running npm install based on a fresh clone of the dev branch outputs "24 moderate severity vulnerabilities", and a clone of your PR outputs exactly the same. Probably package maintainers fixed severe issues in the meantime. You downgraded the ckeditor5 major version, which would require significant testing to guarantee it is sound. I therefore recommend to close this PR. What is your opinion? Do you (after deleting the node_modules folder, in case you have it; and making sure you use the checked-in package-lock.json) still get high-severity issues?