Transitive via mermaid@11.14.0 — only consumer in this package — uses
uuid v4 (random IDs for diagrams), unaffected by the buffer-bounds bug
in v3/v5/v6, but Dependabot still flags any uuid <14.0.0. Pinned via
overrides so future mermaid bumps stay on the patched line.
Closes Dependabot #88.
vite-plugin-singlefile@2.0.2 declares a peer dependency on
vite ^5.4.11 || ^6.0.0, but socratiq/ pins vite ^8.0.10. npm refused
to resolve the dep tree, so 'npm ci' failed in the SocratiQ Bundle
Drift workflow on every PR that touched socratiq/package-lock.json
— including dependabot bumps for unrelated transitive packages
(see #1538 markdown-it, #1539 solid-js).
vite-plugin-singlefile@2.3.0+ supports vite 5/6/7/8, so a one-line
bump unblocks 'npm ci', which lets the bundle drift check actually
run again.
Also commits the regenerated production bundle and stylesheet to
satisfy the drift check itself.
The package had been carrying the legacy name "injectchat" inherited
from an earlier prototype. Rename to the scoped name matching the
rest of the mlsysbook ecosystem, add a real description, and mark the
package private so it cannot be accidentally published to npm.
No behavioural change — the package is consumed only via the prebuilt
bundle at book/quarto/tools/scripts/socratiQ/bundle.js; nothing in
the repository imports it by name.
- XSS: validate URL (same-origin, http/https only) before window.location.href
in streamdown_markdown.js and reference_renderer.js
- XSS: replace tooltip.innerHTML with DOM construction in streamdown_markdown.js
- XSS: sanitize mermaid SVG with DOMPurify in renderMermaid() and at call site
- XSS: sanitize customContainerHtml, mathDiv, and preview.innerHTML with DOMPurify
- XSS: replace button.innerHTML with textContent for question buttons
- XSS: add escapeHtml() for mermaid error messages interpolated into innerHTML
- Add DOMPurify ^3.4.0 to dependencies
- Remove duplicate diagramId assignments in highlight.js and markdown.js
- Remove unused percentLineIndex variable in markdown.js and streamdown_markdown.js
- Remove useless targetElement assignment in streamdown_markdown.js
- chart.js: replace /auto import with tree-shaken named imports in spaced-repetition-stats.js
- Add _comments to package.json documenting bundle size analysis per dependency
