[Bug] - monaco-editor bundles vulnerable dompurify (XSS, prototype pollution) in @patternfly/chatbot

[Homa]

Description

@patternfly/chatbot depends on @patternfly/react-code-editor, which depends on
@monaco-editor/react, which depends on monaco-editor. The monaco-editor package
ships its own nested copy of dompurify (node_modules/monaco-editor/node_modules/dompurify).
The bundled version is <=3.3.1, which is affected by multiple CVEs.

Affected versions

• @patternfly/chatbot: 6.4.1 (latest)

• monaco-editor: 0.55.1 (transitively pulled in via @patternfly/react-code-editor)

• dompurify (bundled inside monaco-editor): <=3.3.1

CVEs / Advisories

Advisory	Severity	Description
GHSA-h8r8-wccr-v5f2	Moderate	Mutation-XSS via Re-Contextualization
GHSA-v2wj-7wpq-c8vv	Moderate	Cross-site Scripting
GHSA-cjmm-f4jc-qw8r	Moderate	ADD_ATTR predicate skips URI validation
GHSA-cj63-jhhr-wcxv	Moderate	USE_PROFILES prototype pollution allows event handlers

Steps to Reproduce

npm audit --registry https://registry.npmjs.org
dompurify <=3.3.1
Severity: moderate
...
nodemodules/monaco-editor/nodemodules/dompurify
monaco-editor >=0.54.0-dev-20250909
Depends on vulnerable versions of dompurify
node_modules/monaco-editor
@patternfly/chatbot >=6.5.0-prerelease.1
Depends on vulnerable versions of monaco-editor
node_modules/@patternfly/chatbot

Data/JSON Context (if applicable)

No response

Environment

@patternfly/chatbot: 6.4.1

Screenshots or Logs

No response

---

Jira Issue: PF-4009