prismjs: vulnerability: GHSA-x7hr-w5r2-h6wg

[manstis]

JFYI @patternfly/chatbot version 6.3.0-prerelease.25 fails npm audit.

# npm audit report

prismjs  <1.30.0
Severity: moderate
PrismJS DOM Clobbering vulnerability - https://github.com/advisories/GHSA-x7hr-w5r2-h6wg
No fix available
node_modules/refractor/node_modules/prismjs
  refractor  <=4.6.0
  Depends on vulnerable versions of prismjs
  node_modules/refractor
    react-syntax-highlighter  >=6.0.0
    Depends on vulnerable versions of refractor
    node_modules/react-syntax-highlighter
      @patternfly/chatbot  *
      Depends on vulnerable versions of react-syntax-highlighter
      node_modules/@patternfly/chatbot

No fix is currently available in the underlying library prismjs.

[rebeccaalpert]

Thanks for the heads up @manstis! I would like to drop this syntax highlighter temporarily and look for an alternative solution once we've dropped it. I'll get a PR up today.

[rebeccaalpert]

Notes on tools:

• react-syntax-highlighter looks like it's not being well-maintained; from scanning open issues/PRs, it sounds like the maintainer who can merge PRs is not really active. Several PRs have been put up to try and address this with no movement, starting in March
• One user moved to prism-react-renderer and posted their migration details, but it suffers from the same bad version of prism - we would need to put up a PR and try to get it approved there if we wanted to use it
• starry-night is an alternative that doesn't require prism, but API is very different and would require testing to see if it could work
• Other alternatives may exist
• Alternatively, can discuss migrating to PatternFly code editor component, which provides syntax highlighting via Microsoft's Monaco library. This can be made read-only and may be the preferred PatternFly solution. Will discuss with team as a follow-on solution

[rebeccaalpert]

Going to look at switching to PF code editor (readonly) here: #545. Want to try first after this merges.