diff --git a/apps/web/package.json b/apps/web/package.json index 3aa44ab26d..c4a8026458 100644 --- a/apps/web/package.json +++ b/apps/web/package.json @@ -139,7 +139,7 @@ "js-cookie": "3.0.5", "js-yaml": "4.1.1", "jsonwebtoken": "catalog:", - "linkify-it": "5.0.0", + "linkify-it": "5.0.1", "lucide-react": "0.552.0", "mailgun.js": "12.7.1", "monaco-editor": "0.55.1", diff --git a/apps/web/src/components/cloud-agent-next/MessageBubble.tsx b/apps/web/src/components/cloud-agent-next/MessageBubble.tsx index 8589c43320..a32701e501 100644 --- a/apps/web/src/components/cloud-agent-next/MessageBubble.tsx +++ b/apps/web/src/components/cloud-agent-next/MessageBubble.tsx @@ -27,6 +27,11 @@ import LinkifyIt from 'linkify-it'; const linkify = new LinkifyIt(); function TextWithLinks({ text }: { text: string }) { + // Skip linkification for very large inputs to bound worst-case render time + // (defense-in-depth against CVE-2026-48801 / GHSA-22p9-wv53-3rq4) + if (text.length > 50_000) { + return <>{text}; + } const parts: React.ReactNode[] = []; let lastIndex = 0; for (const match of linkify.match(text) ?? []) { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index f6cc128b24..b095975081 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -891,8 +891,8 @@ importers: specifier: 'catalog:' version: 9.0.3 linkify-it: - specifier: 5.0.0 - version: 5.0.0 + specifier: 5.0.1 + version: 5.0.1 lucide-react: specifier: 0.552.0 version: 0.552.0(react@19.2.6) @@ -13758,8 +13758,8 @@ packages: canvas: optional: true - linkify-it@5.0.0: - resolution: {integrity: sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==} + linkify-it@5.0.1: + resolution: {integrity: sha512-wVoTjP4Q6R0NW5hiZkVJaFZPWgtXfoGF+6LucL3/FtiNjmcHhYjEr5f1Kqjirc1nBW07J/ZuRFumqr2oqccEWg==} listr2@10.2.1: resolution: {integrity: sha512-7I5knELsJKTUjXG+A6BkKAiGkW1i25fNa/xlUl9hFtk15WbE9jndA89xu5FzQKrY5llajE1hfZZFMILXkDHk/Q==} @@ -30874,7 +30874,7 @@ snapshots: htmlparser2: 10.1.0 uhyphen: 0.2.0 - linkify-it@5.0.0: + linkify-it@5.0.1: dependencies: uc.micro: 2.1.0