Skip to content

fix(deps): bump react-syntax-highlighter to 16.0.0#10620

Merged
robert-hebel-sb merged 4 commits intoswagger-api:masterfrom
jaeminkim87:fix/deps-react-syntax-highlighter-16
Nov 3, 2025
Merged

fix(deps): bump react-syntax-highlighter to 16.0.0#10620
robert-hebel-sb merged 4 commits intoswagger-api:masterfrom
jaeminkim87:fix/deps-react-syntax-highlighter-16

Conversation

@jaeminkim87
Copy link
Copy Markdown
Contributor

@jaeminkim87 jaeminkim87 commented Oct 27, 2025

Description

This PR updates the react-syntax-highlighter dependency in swagger-ui-react to v16.0.0, resolving a moderate PrismJS vulnerability (GHSA-x7hr-w5r2-h6wg).

This issue occurs only within the swagger-ui-react package, due to its dependency chain:

swagger-ui-react → react-syntax-highlighter → refractor → prismjs

As of react-syntax-highlighter@16.0.0 , the vulnerability has been patched.

Motivation and Context

Running npm audit in the swagger-ui-react package reports the following issue:

prismjs  <1.30.0
Severity: moderate
PrismJS DOM Clobbering vulnerability - https://github.com/advisories/GHSA-x7hr-w5r2-h6wg
fix available via `npm audit fix --force`
Will install react-syntax-highlighter@16.0.0, which is a breaking change
node_modules/refractor/node_modules/prismjs
  refractor  <=4.6.0
  Depends on vulnerable versions of prismjs
  node_modules/refractor
    react-syntax-highlighter  6.0.0 - 15.6.6
    Depends on vulnerable versions of refractor
    node_modules/react-syntax-highlighter

11 vulnerabilities (10 moderate, 1 high)

This update removes the vulnerable dependency and clears all audit warnings specific to swagger-ui-react.

After upgrading, audit results show:

No other vulnerable packages were modified by this PR.

8 vulnerabilities (7 moderate, 1 high)

References:

How Has This Been Tested?

  • Verified syntax highlighting behavior in Swagger UI React components.
  • Ensured there were no regressions or rendering differences after dependency update.
  • Confirmed npm audit shows zero vulnerabilities for swagger-ui-react.

Screenshots (if appropriate):

N/A

Checklist

My PR contains...

  • Dependency changes (any modification to dependencies in package.json)
  • Bug fixes (non-breaking change which fixes an issue)

My changes...

  • are breaking changes to a public API (config options, System API, major UI change, etc).
  • are breaking changes to a private API (Redux, component props, utility functions, etc.).
  • are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
  • are not breaking changes.

Documentation

  • My changes do not require a change to the project documentation.

Automated tests

  • My changes can not or do not need to be tested.
  • My changes can and should be tested by unit and/or integration tests.
  • All new and existing tests passed.

@robert-hebel-sb
Copy link
Copy Markdown
Contributor

robert-hebel-sb commented Oct 30, 2025
edited
Loading

hey @jaeminkim87 👋
thank you for creating this PR 💟
could you run npm i command and commit updated package-lock.json as well?

@robert-hebel-sb robert-hebel-sb added the dependencies Pull requests that update a dependency file label Oct 30, 2025
@jaeminkim87
Copy link
Copy Markdown
Contributor Author

jaeminkim87 commented Oct 30, 2025

Thanks for the feedback! @robert-hebel-sb
I’ve run npm i and committed the updated package-lock.json.

@robert-hebel-sb robert-hebel-sb merged commit 270d96d into swagger-api:master Nov 3, 2025
8 checks passed
swagger-bot pushed a commit that referenced this pull request Nov 4, 2025
@semantic-release-bot
chore(release): cut the 5.30.2 release
30d8f98 
## [5.30.2](v5.30.1...v5.30.2) (2025-11-04)

### Bug Fixes

* **deps:** bump react-syntax-highlighter to 16.0.0 ([#10620](#10620)) ([270d96d](270d96d))
@swagger-bot
Copy link
Copy Markdown
Contributor

swagger-bot commented Nov 4, 2025

🎉 This PR is included in version 5.30.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

delendik-testops pushed a commit to ModiusOpenData/swagger-ui that referenced this pull request Mar 3, 2026
@jaeminkim87 @kirill-of-turov
fix(deps): bump react-syntax-highlighter to 16.0.0 (swagger-api#10620)
8a2efdb
delendik-testops pushed a commit to ModiusOpenData/swagger-ui that referenced this pull request Mar 3, 2026
@semantic-release-bot @kirill-of-turov
chore(release): cut the 5.30.2 release
d3a4f13 
## [5.30.2](swagger-api/swagger-ui@v5.30.1...v5.30.2) (2025-11-04)

### Bug Fixes

* **deps:** bump react-syntax-highlighter to 16.0.0 ([swagger-api#10620](swagger-api#10620)) ([270d96d](swagger-api@270d96d))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robert-hebel-sb robert-hebel-sb robert-hebel-sb approved these changes

Assignees

@jaeminkim87 jaeminkim87

Labels

dependencies Pull requests that update a dependency file released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jaeminkim87 @robert-hebel-sb @swagger-bot