With the latest version of monaco-react in my package.json, npm audit and Github security reports issues -
GHSA-v2wj-7wpq-c8vv (CVE-2026-0540)
Could you upgrade the dependency on monaco-editor to a version that has dompurify >= 3.3.2?
Some more details:
{ // package.json
"dependencies": [..., "@monaco-editor/react": "^4.7.0", ...]
}
# npm audit report
dompurify 3.1.3 - 3.3.1
Severity: moderate
DOMPurify contains a Cross-site Scripting vulnerability - https://github.com/advisories/GHSA-v2wj-7wpq-c8vv
fix available via `npm audit fix`
node_modules/monaco-editor/node_modules/dompurify
monaco-editor >=0.54.0-dev-20250909
Depends on vulnerable versions of dompurify
node_modules/monaco-editor
2 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Unfortunately, npm audit fix can't fix anything in this case either since it's a nested dependency.
With the latest version of monaco-react in my
package.json,npm auditand Github security reports issues -GHSA-v2wj-7wpq-c8vv (CVE-2026-0540)
Could you upgrade the dependency on monaco-editor to a version that has
dompurify >= 3.3.2?Some more details:
Unfortunately,
npm audit fixcan't fix anything in this case either since it's a nested dependency.