[Snyk] Security upgrade @scalar/api-reference-react from 0.9.20 to 0.9.36

[boyney123]

Snyk has created this PR to fix 7 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• packages/core/package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-16132234	434
	Operator Precedence Logic Error SNYK-JS-DOMPURIFY-16078387	422
	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-15810938	372
	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-16131135	294
	Prototype Pollution SNYK-JS-DOMPURIFY-15874903	265
	Permissive List of Allowed Inputs SNYK-JS-DOMPURIFY-15874905	265
	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-15371376	255

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Prototype Pollution

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
eventcatalog-playground	Ignored		May 15, 2026 8:34am

[changeset-bot]

⚠️ No Changeset found

Latest commit: cf23d10

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cf23d10941

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Update pnpm-lock.yaml with this dependency bump

This manifest now requires @scalar/api-reference-react ^0.9.36, but pnpm-lock.yaml still records the importer specifier as ^0.9.19 and resolves 0.9.20. The workflows I checked (.github/workflows/lint.yml and verify-build.yml) run pnpm i; pnpm's install docs say CI uses frozen lockfile by default and fails when the lockfile is out of sync, so this PR will fail installation and also continue using the vulnerable locked version until the lockfile is regenerated.

Useful? React with 👍 / 👎.