[Snyk] Security upgrade immutable from 3.7.6 to 4.3.8

[mm-prodsec-bot]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• webapp/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-IMMUTABLE-15423650	740

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[coderabbitai]

Warning

Rate limit exceeded

@Rajat-Dabade has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 26 minutes and 32 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 26 minutes and 32 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 8d47169e-4388-4ade-b9e6-77b52a7ceb00

📥 Commits

Reviewing files that changed from the base of the PR and between bc67146 and 661f34f.

📒 Files selected for processing (1)

• webapp/package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch snyk-fix-01e1e4161657632f300bba311d5ffc74

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Rajat-Dabade]

@coderabbitai review this PR

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all files importing/using 'immutable'
rg -n "from ['\"]immutable['\"]|require\(['\"]immutable['\"]" --type=ts --type=tsx --type=js -g "webapp/**"

# Also check package.json for the exact version specification
cat webapp/package.json 2>/dev/null | grep -A2 -B2 '"immutable"' || find . -name "package.json" -not -path "*/node_modules/*" | xargs grep -l '"immutable"' 2>/dev/null

Length of output: 153

---

🌐 Web query:

immutable.js v3 to v4 breaking changes migration

💡 Result:

Immutable.js v3 → v4 migration: breaking changes to expect

1) Iterable was renamed to Collection

• Types/classes/APIs that referenced Iterable moved to Collection. Update imports and type names accordingly.
• isIterable() was renamed to isCollection(). [2]
• Iterable.* namespaces were removed (replaced by Collection.*). [1]

2) Records are no longer Collections

• In v3 you could use many Collection/Iterable methods directly on a Record (e.g. record.map(...), record.filter(...), record.toList(), etc.).
• In v4, Record no longer extends Collection, and a large set of those inherited methods were removed from Record’s surface API. [1]
  Typical fix: convert first, then use collection methods, e.g. record.toSeq().map(...) (or operate via explicit get()/set()/merge() on the record).

3) merge() / mergeDeep() behavior changes (can affect results)

Key v4 breaking changes called out in the v4.0.0 notes: [1]

• merge() no longer uses value-equality (is()) for some optimizations; it uses === for leaf values (consistency/perf-related change). [1]
• merge() no longer deeply coerces its argument via an implicit fromJS(); coercion is now shallow (you may need to call fromJS() yourself before merging if you relied on the old behavior). [1]
• mergeDeep() changes include:
  • Replacing incompatible nested collection types instead of trying to merge them (e.g., “lists of tuples into maps” no longer works). [1]
  • Deep merges concatenate Lists rather than “merging by index”; List.merge is effectively an alias for List.concat in this context. [1]

4) Seq breaking changes

• Seq.of() was removed → replace Seq.of(1,2,3) with Seq([1,2,3]). [1]
• Seq() no longer tries to detect iterators in the same way (IteratorSequence removed). [1]

5) ES6 iteration support added (behavioral change in how collections can be consumed)

• All collection types implement the ES6 iterable protocol ([Symbol.iterator]), so they can be used directly with for...of, spread, etc. [1]

Primary reference to work from: the v4.0.0 release notes include a “Key changes” list plus a “Diff of changed API” section that’s useful as a checklist while you fix compile/runtime errors. [1]

---

🏁 Script executed:

#!/bin/bash
# Search for immutable imports across all relevant file extensions
rg -n "from ['\"]immutable['\"]|require\(['\"]immutable['\"]" -g "*.ts" -g "*.tsx" -g "*.js" -g "*.jsx"

# Also check for immutable type/class usage patterns (Map, List, Record, fromJS, etc.)
rg -n "import.*immutable\|from 'immutable'\|from \"immutable\"" -g "*.ts" -g "*.tsx" -g "*.js" -g "*.jsx"

Length of output: 106

---

🏁 Script executed:

#!/bin/bash
# Read the full file that uses immutable
cat webapp/src/components/live-markdown-plugin/liveMarkdownPlugin.ts

Length of output: 9890

---

🏁 Script executed:

#!/bin/bash
# Check draft-js peer dependency on immutable
find . -path "*/node_modules/draft-js/package.json" -not -path "*/node_modules/*/node_modules/*" 2>/dev/null | head -5

# Check what version of draft-js is used and its immutable peer dep
rg -n '"immutable"' webapp/package.json
rg -n '"draft-js"' webapp/package.json

Length of output: 54

---

🌐 Web query:

draft-js 0.11 immutable peer dependency version compatibility

💡 Result:

In Draft.js 0.11.x (including 0.11.7), immutable is a direct dependency (not a peer dependency), and it’s pinned to:

• immutable: "~3.7.4" (app.unpkg.com)

Semver-wise, ~3.7.4 means Draft.js expects Immutable >= 3.7.4 and < 3.8.0 (i.e., 3.7.* only). Using Immutable v4.x is outside that range and can cause runtime issues/warnings because Draft.js 0.11 was built against Immutable 3.7.x behavior. (lightrun.com)

Citations:

• 1: https://app.unpkg.com/%40wix/design-system%401.221.1/files/dist/node_modules/draft-js/package.json?utm_source=openai
• 2: https://lightrun.com/answers/jaredpalmer-formik-warnings-on-draftjsimmutablejs-when-the-latest-version-of-formik-is-used-iterablelength-has-bee?utm_source=openai

---

@Rajat-Dabade: Here is my review of this PR.

---

Security Upgrade: immutable 3.7.6 → 4.3.8

✅ What this PR fixes

This PR addresses a critical Prototype Pollution vulnerability (SNYK-JS-IMMUTABLE-15423650, score: 740/1000) in the immutable dependency.

---

⚠️ Breaking Change Risk — Requires Attention

Snyk's own metadata explicitly marks this as "isBreakingChange": true. My analysis confirms real compatibility problems:

1. draft-js v0.11.7 is incompatible with immutable v4

draft-js v0.11.7 has immutable as a direct dependency pinned to ~3.7.4, meaning it expects only immutable 3.7.x. Using Immutable v4.x is outside that range and can cause runtime issues because Draft.js 0.11 was built against Immutable 3.7.x behavior.

This means the bundle will end up with two incompatible versions of immutable (v3.7.x from draft-js, v4.3.8 from the direct dependency). The liveMarkdownPlugin.ts creates an immutable v4 List and passes it directly to draft-js internals:

// liveMarkdownPlugin.ts ~line 193
let characterMetadataList = List(
    Repeat(CharacterMetadata.create(), blockText.length),
)
// ...
return block.set('characterList', characterMetadataList) // ← draft-js expects an immutable v3 List!

This block.set('characterList', ...) call passes a v4 List to a draft-js API that expects a v3 List — a runtime incompatibility that would break the live Markdown editor.

2. TypeScript type error in liveMarkdownPlugin.ts

In immutable v4, List.get(index) returns T | undefined instead of T. This breaks the following pattern in liveMarkdownPlugin.ts (around line 218):

// characterMetadataList.get(i) is now CharacterMetadata | undefined in v4
const styled = CharacterMetadata.applyStyle(
    characterMetadataList.get(i), // ← TS error: 'CharacterMetadata | undefined' not assignable to 'CharacterMetadata'
    style,
)

This will likely cause a TypeScript compilation failure.

3. Other v3 → v4 breaking changes to be aware of

Iterable was renamed to Collection; isIterable() was renamed to isCollection(). In v4, Record no longer extends Collection, so collection methods like record.map(), record.filter(), and record.toList() were removed from Record's API.

---

🔧 Recommended Path Forward

Since draft-js v0.11.x is effectively unmaintained/archived and only supports immutable v3, a simple version bump here is insufficient. Consider:

1. Short-term: Use npm overrides (or resolutions in yarn) in webapp/package.json to force a patched v3 minor if one exists that resolves the vulnerability, while keeping draft-js working.
2. Long-term: Migrate away from draft-js to an actively maintained rich text editor (e.g., Slate.js, TipTap, Lexical) that supports modern immutable or has no immutable dependency.

This PR should not be merged as-is without validating that the live Markdown editor (powered by draft-js) still functions correctly, and that the TypeScript build succeeds.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.