Skip to content

[WEB-5196] chore: switch from isomorphic-dompurify to dompurify#7983

Merged
sriramveeraghanta merged 3 commits into
previewfrom
chore/switch-dompurify-package
Oct 23, 2025
Merged

[WEB-5196] chore: switch from isomorphic-dompurify to dompurify#7983
sriramveeraghanta merged 3 commits into
previewfrom
chore/switch-dompurify-package

Conversation

@lifeiscontent

@lifeiscontent lifeiscontent commented Oct 18, 2025
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Description

This PR replaces isomorphic-dompurify with the canonical dompurify package in shared utils:

  • Updated packages/utils/src/string.ts to import DOMPurify from dompurify with identical sanitize options.
  • Swapped the dependency in packages/utils/package.json to dompurify.
  • Removed the extra wrapper dependency from apps/web/package.json (where applicable).
  • Cleaned up and deduped pnpm-lock.yaml to a single dompurify version.

Why:

  • This is a front-end only application; we do not run code on the server. An isomorphic wrapper provides no benefit for our setup.
  • Reduce dependency surface area and avoid an extra wrapper that doesn’t add runtime value for our use-case.
  • Align with existing usage of dompurify elsewhere for consistency.
  • Slightly smaller installs/bundles due to deduplication and fewer transitive deps.

Impact:

  • No functional changes expected. The API remains the same (DOMPurify.sanitize) and the allowed tags configuration is unchanged.
  • Behavior remains browser-only, consistent with how these utils are consumed.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • Feature (non-breaking change which adds functionality)
  • Improvement (change that would cause existing functionality to not work as expected)
  • Code refactoring
  • Performance improvements
  • Documentation update

Screenshots and Media (if applicable)

N/A

Test Scenarios

Functional:

  • Verified sanitizeHTML, stripAndTruncateHTML, and isEmptyHtmlString still remove tags and trim text as before.
  • Manually tested user-generated HTML in rich text inputs (comments/descriptions) to ensure:
    • Valid content renders unchanged.
    • Malicious payloads (e.g., <img src=x onerror=alert(1)>, inline event handlers, script tags) are removed consistently.

Build and Type Checks:

  • pnpm -w i
  • pnpm -w -r check:types
  • pnpm -w -r check:lint
  • pnpm -w -r build

Regression/Parity:

  • Compared sanitized outputs before/after for representative samples to confirm parity.
  • Confirmed workspace resolves a single dompurify version in pnpm-lock.yaml.

Optional:

  • pnpm why dompurify to verify deduplication and that isomorphic-dompurify is no longer present.

References

Summary by CodeRabbit

  • Chores
    • Replaced the internal HTML sanitization dependency and updated its version across packages.
  • Breaking Change
    • Removed a public helper that validated empty HTML after sanitization; callers should adjust accordingly.

@lifeiscontent lifeiscontent self-assigned this Oct 18, 2025
@coderabbitai

coderabbitai Bot commented Oct 18, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Removed isomorphic-dompurify from the web app; replaced it with dompurify in the utils package and updated the import; removed DOMPurify usage and the isEmptyHtmlString helper from the space app.

Changes

Cohort / File(s) Summary
Web dependency removal
apps/web/package.json		 Removed isomorphic-dompurify from dependencies.
Utils migration
packages/utils/package.json, packages/utils/src/string.ts		 Added dompurify (3.2.7) to dependencies; replaced import source from isomorphic-dompurify to dompurify in src/string.ts.
Space app removals
apps/space/package.json, apps/space/helpers/string.helper.ts		 Removed dompurify from apps/space/package.json dependencies; deleted the exported isEmptyHtmlString(htmlString: string, allowedHTMLTags: string[] = []) helper and removed its DOMPurify import in helpers/string.helper.ts.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibbled at imports, hopped from old to new,
Swapped names and trimmed a helper or two.
Packages cleaner, the paths now align,
A tiny rabbit's tidy little sign. ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title Check ✅ Passed The pull request title "[WEB-5196] chore: switch from isomorphic-dompurify to dompurify" clearly and specifically describes the main change in the changeset. It directly captures the primary objective of replacing the isomorphic-dompurify dependency with dompurify across the codebase. The title is concise, contains no noise or vague terminology, and a teammate reviewing the git history would immediately understand the nature of this change.
Description Check ✅ Passed The pull request description is comprehensive and covers all required sections of the template. It includes a detailed description explaining the changes made across multiple files, the motivation behind the switch, and the expected impact. The type of change is properly selected (code refactoring and performance improvements), test scenarios are thoroughly documented with functional testing, build checks, and regression testing, and references are provided including the ticket number and upstream documentation. The description exceeds the minimum requirements by providing clear rationale and extensive testing details.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch chore/switch-dompurify-package
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e494f3d and 1431872.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • apps/space/helpers/string.helper.ts (0 hunks)
  • apps/space/package.json (0 hunks)
💤 Files with no reviewable changes (2)
  • apps/space/package.json
  • apps/space/helpers/string.helper.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Cursor Bugbot
  • GitHub Check: Build and lint web apps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@lifeiscontent lifeiscontent force-pushed the chore/switch-dompurify-package branch from d95ffa8 to b2f8c51 Compare October 18, 2025 07:28
@makeplane

makeplane Bot commented Oct 18, 2025
edited
Loading

Copy link
Copy Markdown

Linked to Plane Work Item(s)

This comment was auto-generated by Plane

@lifeiscontent lifeiscontent force-pushed the chore/switch-dompurify-package branch from b2f8c51 to f5ca56c Compare October 22, 2025 18:15
@lifeiscontent lifeiscontent marked this pull request as ready for review October 22, 2025 18:15
Copilot AI review requested due to automatic review settings October 22, 2025 18:15
Copilot AI reviewed Oct 22, 2025
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR replaces the isomorphic-dompurify wrapper with the canonical dompurify package, simplifying dependencies since the application only runs in the browser and doesn't require server-side rendering support.

Key Changes:

  • Switched from isomorphic-dompurify to dompurify in the shared utils package
  • Removed redundant isomorphic-dompurify dependency from the web app
  • Updated imports to use dompurify directly

Reviewed Changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File Description
packages/utils/src/string.ts Updated import statement to use dompurify instead of isomorphic-dompurify
packages/utils/package.json Replaced isomorphic-dompurify dependency with dompurify
apps/web/package.json Removed redundant isomorphic-dompurify dependency
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

cursor[bot]

This comment was marked as outdated.

Sign in to view

coderabbitai[bot]
coderabbitai Bot reviewed Oct 22, 2025
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 772b5c5 and f5ca56c.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (3)
  • apps/web/package.json (0 hunks)
  • packages/utils/package.json (1 hunks)
  • packages/utils/src/string.ts (1 hunks)
💤 Files with no reviewable changes (1)
  • apps/web/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Cursor Bugbot
  • GitHub Check: Build and lint web apps
  • GitHub Check: Analyze (javascript)
🔇 Additional comments (1)
packages/utils/src/string.ts (1)

1-1: The import change is safe—functions using DOMPurify are internal utilities, not exported.

Verification shows sanitizeHTML and isEmptyHtmlString are not exported from packages/utils/src/index.ts and are used exclusively in browser contexts (React components, localStorage operations). No server-side usage detected. The package's conditional exports (import/require) apply to other utilities, not these DOMPurify functions.

Comment thread packages/utils/package.json Outdated
@lifeiscontent
[WEB-5196] chore: switch from isomorphic-dompurify to dompurify
e494f3d 
Replace isomorphic-dompurify with dompurify package in utils.
This change simplifies the dependency and uses the canonical
DOMPurify package directly.
@lifeiscontent lifeiscontent force-pushed the chore/switch-dompurify-package branch from f5ca56c to e494f3d Compare October 23, 2025 00:45
coderabbitai[bot]
coderabbitai Bot reviewed Oct 23, 2025
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
apps/space/package.json (1)

34-34: Version pinning is inconsistent with project conventions.

The dompurify version is pinned to "3.2.7" without a caret, whereas most other dependencies in this file use caret ranges (e.g., ^11.11.1, ^2.0.0). Pinned versions are more restrictive and can delay security patches.

If pinning is intentional for dompurify, please document the rationale. Otherwise, consider aligning with the project's versioning strategy.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f5ca56c and e494f3d.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (4)
  • apps/space/package.json (2 hunks)
  • apps/web/package.json (0 hunks)
  • packages/utils/package.json (1 hunks)
  • packages/utils/src/string.ts (1 hunks)
💤 Files with no reviewable changes (1)
  • apps/web/package.json
🚧 Files skipped from review as they are similar to previous changes (2)
  • packages/utils/package.json
  • packages/utils/src/string.ts
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-10-09T22:12:26.424Z 
Learnt from: lifeiscontent
PR: makeplane/plane#7922
File: apps/admin/app/(all)/(dashboard)/ai/form.tsx:19-19
Timestamp: 2025-10-09T22:12:26.424Z
Learning: When `types/react` is installed in a TypeScript project (which is standard for React + TypeScript codebases), React types (React.FC, React.ReactNode, React.ComponentProps, etc.) are globally available by design. These type annotations can and should be used without explicitly importing the React namespace. This is a TypeScript/DefinitelyTyped feature, not codebase-specific configuration.

Applied to files:

  • apps/space/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Build and lint web apps
  • GitHub Check: Analyze (javascript)
🔇 Additional comments (1)
apps/space/package.json (1)

34-34: Dependency version alignment confirmed.

The dompurify version update to 3.2.7 aligns with the migration in packages/utils/package.json and is a backward-compatible minor version bump from 3.0.11. No functional impact is expected.

Comment thread apps/space/package.json Outdated
@sriramveeraghanta sriramveeraghanta changed the title chore: switch from isomorphic-dompurify to dompurify [WEB-5196] chore: switch from isomorphic-dompurify to dompurify Oct 23, 2025
@sriramveeraghanta sriramveeraghanta merged commit e710f5b into preview Oct 23, 2025
7 checks passed
@sriramveeraghanta sriramveeraghanta deleted the chore/switch-dompurify-package branch October 23, 2025 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

@cursor cursor[bot] cursor[bot] left review comments

@sriramveeraghanta sriramveeraghanta sriramveeraghanta approved these changes

Assignees

@lifeiscontent lifeiscontent

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lifeiscontent @sriramveeraghanta