fix: add explicit DOMPurify allowlist for ANSI log rendering (#35)

* fix: add explicit DOMPurify allowlist for ANSI log rendering

Restrict allowed tags to span and br, attributes to style only.
Tighter than DOMPurify defaults — guards against future version
changes while preserving ANSI color spans.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: regenerate package-lock.json to sync with package.json

npm ci was failing because lock file was out of sync with
dependency versions from recent dependabot merges.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: restore package-lock.json from main

Previous regeneration caused version mismatches in CI.
This PR only changes a .jsx file — no lock file changes needed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: abhizipstack

frontend/src/ide/editor/no-code-model/no-code-model.jsx

@@ -359,7 +359,11 @@ function NoCodeModel({ nodeData }) {
     });
     updateSpec(newSpec);
   };
-  const parseLog = (log) => DOMPurify.sanitize(ansiToHtml.toHtml(log));
+  const parseLog = (log) =>
+    DOMPurify.sanitize(ansiToHtml.toHtml(log), {
+      ALLOWED_TAGS: ["span", "br"],
+      ALLOWED_ATTR: ["style"],
+    });
 
   const hideGenAIAndTimeTravelTabs = true;
   const BOTTOM_TABS = [