PR #1412 breaks Emmet: underscore update accidentally deletes entire Emmet core library #1413
Description
Problem
PR #1412 updates underscore.js from 1.13.7 to 1.13.8 to address CVE-2026-27601 (High severity, CVSS 8.2 — uncontrolled recursion in _.flatten and _.isEqual enabling DoS).
However, the PR accidentally deletes the entire Emmet core library. The file src/Spe/sitecore modules/PowerShell/Scripts/ace/emmet-core/emmet.js is a 12,762-line bundle containing:
- Lines 1–12: Underscore.js (minified dependency)
- Lines 13–12,762: Emmet core library (HTML/CSS abbreviation engine used by the ISE editor)
The PR replaces all 12,762 lines with just 12 lines of updated underscore code (+7 / -12,758). Merging this would completely break Emmet abbreviation expansion in the SPE ISE.
Additional Issue
The PR header comment uses a placeholder ticket reference (SXA-xxxx) instead of a real ticket number.
Proposed Fix
The correct fix should only replace lines 1–12 (the underscore portion) with the updated 1.13.8 minified code, leaving all Emmet code from line 13 onward untouched:
- Update the header comment (lines 1–6) to reference version 1.13.8
- Replace the single minified underscore line (line 7) with the 1.13.8 minified source
- Update the internal version comments (lines 8–11)
- Preserve ALL Emmet code from line 13 onward unchanged
Verification
- After fix:
wc -lshould still show ~12,762 lines - The Emmet code starting at line 13 (
/** * Core Emmet object...) must remain intact - Search for
var n="1.13.8"to confirm the underscore version update
References
- PR: Update underscore to version 1.13.8 #1412
- Advisory: GHSA-qpx9-hpmf-5gmw
- CVE: CVE-2026-27601