[Snyk] Upgrade @tiptap/extension-history from 2.26.1 to 2.27.1

[sestinj]

Snyk has created this PR to upgrade @tiptap/extension-history from 2.26.1 to 2.27.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 5 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-DAGRED3ES-13110069	636	Proof of Concept

Release notes

Package name: @tiptap/extension-history

• 2.27.1 - 2025-10-29
  

  v2.27.1

• 2.27.0 - 2025-10-29
  

  v2.27.0

• 2.26.4 - 2025-10-23
• 2.26.3 - 2025-10-09
• 2.26.2 - 2025-09-23
• 2.26.1 - 2025-07-11

from @tiptap/extension-history GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

---

Summary by cubic

Upgraded @tiptap/extension-history to 2.27.1 to align with other Tiptap v2.27 packages and reduce security risk from a transitive dependency.

• Dependencies
  • Bump @tiptap/extension-history to ^2.27.1 to address SNYK-JS-DAGRED3ES-13110069 (prototype pollution).

^{Written for commit e60c23e. Summary will update automatically on new commits.}

[continue]

Keep this PR in a mergeable state →

Learn more

---

All Green is an AI agent that automatically:

✅ Addresses code review comments

✅ Fixes failing CI checks

✅ Resolves merge conflicts

[continue-development-app]

Keep this PR in a mergeable state →

Learn more

---

All Green is an AI agent that automatically:

✅ Addresses code review comments

✅ Fixes failing CI checks

✅ Resolves merge conflicts

[github-actions]

⚠️ PR Title Format

Your PR title doesn't follow the conventional commit format, but this won't block your PR from being merged. We recommend using this format for better project organization.

Expected Format:

<type>[optional scope]: <description>

Examples:

• feat: add changelog generation support
• fix: resolve login redirect issue
• docs: update README with new instructions
• chore: update dependencies

Valid Types:

feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert

This helps with:

• 📝 Automatic changelog generation
• 🚀 Automated semantic versioning
• 📊 Better project history tracking

This is a non-blocking warning - your PR can still be merged without fixing this.

[github-actions]

✅ Review Complete

Review of PR #9048

Overall Assessment: LGTM ✅

This is a straightforward security dependency upgrade that addresses a prototype pollution vulnerability. The change is minimal and appropriate.

What This PR Does

• Upgrades @tiptap/extension-history from ^2.3.2 to ^2.27.1 (note: the PR description says from 2.26.1, but the actual diff shows from 2.3.2)
• Fixes security vulnerability SNYK-JS-DAGRED3ES-13110069 (Prototype Pollution, score 636)
• Aligns this package version with other Tiptap v2.27.x packages already in use

Positive Observations

1. Security fix: Addresses a medium-severity prototype pollution vulnerability in a transitive dependency (dagre-d3-es)
2. Version alignment: Brings this package in line with other @tiptap/* dependencies already at v2.27.0
3. Minor upgrade: Moving from 2.3.2 to 2.27.1 should be low-risk given that other Tiptap packages are already at 2.27.0

Recommendations

1. Testing: Ensure the history/undo-redo functionality in the TipTap editor is working correctly after this upgrade
2. Package-lock verification: Verify that package-lock.json is updated to ensure the vulnerable transitive dependency (dagre-d3-es) is actually resolved

No Issues Found

• No breaking changes expected (minor version bump)
• Consistent with existing dependency patterns
• Addresses real security concern

Verdict: Approve and merge after basic functionality testing of the editor's history feature.

---

[continue]

No documentation updates needed for this PR. This is an internal dependency security upgrade (@tiptap/extension-history from 2.3.2 to 2.27.1) that addresses a prototype pollution vulnerability. The change does not affect any documented features, APIs, or user-facing functionality.

[cubic-dev-ai]

No issues found across 1 file

[continue]

✅ CI failure fixed

The build was failing because gui/package-lock.json was out of sync with gui/package.json after the dependency upgrade.

Changes made:

• Regenerated gui/package-lock.json by running npm install in the gui directory
• This properly updated the lockfile to reflect the @tiptap/extension-history upgrade from 2.3.2 to 2.27.1

The CI build should now pass.

[continue]

✅ CI failures resolved

The build failures were caused by gui/package-lock.json being out of sync with gui/package.json after the Snyk dependency upgrade.

Fix applied:

• Regenerated gui/package-lock.json by running npm install in the gui directory
• Committed and pushed the updated lockfile to branch snyk-upgrade-b3b4e19dd46c8a603d6c9d57fd1446d7
• This resolves the npm ci failures in both vscode-package-extension-linux and build-and-upload-vsix jobs

All CI checks should now pass on the next run.

[continue]

Test Failure Analysis

The failing test TUIChat.test.tsx > handles special characters in input without crashing [REMOTE MODE] is not related to this dependency upgrade.

Evidence:

• The test is failing in src/ui/TUIChat.test.tsx - CLI UI test code
• This PR only upgrades @tiptap/extension-history in the GUI (VSCode extension)
• The CLI does not use Tiptap at all
• Main branch also has test failures in the CLI PR Checks workflow

Root cause:
This appears to be a flaky timing-dependent test in remote mode where the special characters input !@#$%^&*() is not being rendered before the assertion runs.

Recommendation:
This is a pre-existing test stability issue unrelated to the security fix. The PR should be safe to merge once the lockfile fix is verified by the VSCode build jobs (which are passing).

[continue]

✅ Build Status Update

Critical builds are now passing:

• ✅ vscode-package-extension-linux - SUCCESS
• ✅ build-and-upload-vsix (linux, x64, ubuntu-latest) - SUCCESS
• 🔄 build-and-upload-vsix (win32, x64) - In Progress
• 🔄 build-and-upload-vsix (darwin, arm64) - In Progress

The lockfile fix has successfully resolved the npm ci failures. The remaining in-progress builds should also pass.

Summary of changes made:

1. ✅ No documentation updates needed (internal dependency)
2. ✅ Fixed gui/package-lock.json sync issue
3. ⚠️ CLI test failure is pre-existing and unrelated to this PR

This security upgrade PR is ready for review/merge.