fix(safe-markdown): do not mutate the shared sanitization schema

[rusackas]

SUMMARY

getOverrideHtmlSchema passed the module-level defaultSchema import from rehype-sanitize as the first argument to lodash mergeWith, which mutates its first argument in place. Because the array customizer concatenates rather than replaces, the allowed tags/attributes/protocols arrays grew on each call — progressively widening the sanitization allowlist for every SafeMarkdown instance across the app, not just the one with overrides.

This merges into a fresh cloneDeep of the schema so the shared singleton is never modified and repeated calls do not accumulate overrides.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — internal behavior.

TESTING INSTRUCTIONS

Tests added in superset-frontend/packages/superset-ui-core/test/components/SafeMarkdown.test.tsx:

• The original schema passed in is not mutated.
• The shared defaultSchema import is unchanged after calls, and repeated calls do not accumulate the override (arrays do not grow).

Run: cd superset-frontend && npm run test -- packages/superset-ui-core/test/components/SafeMarkdown.test.tsx

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

Code Review Agent Run #f598a6

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: 80e195a..80e195a

  • superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown/SafeMarkdown.tsx
  • superset-frontend/packages/superset-ui-core/test/components/SafeMarkdown.test.tsx
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.34%. Comparing base (3b46a5f) to head (80e195a).

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #41298   +/-   ##
=======================================
  Coverage   64.34%   64.34%           
=======================================
  Files        2653     2653           
  Lines      144952   144952           
  Branches    33433    33433           
=======================================
+ Hits        93272    93273    +1     
+ Misses      49996    49995    -1     
  Partials     1684     1684           

Flag	Coverage Δ
javascript	68.58% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.