fix(core): upgrade refractor to 5.0.0 and react-refractor to 4.0.0 and @sanity/ui to 3.0.0

[RitaDias]

Description

Upgrade refractor 5.0.0, react-refractor 4.0.0 and @sanity/ui to 3.0.0
Addresses CVE-2024-53382.
As prism is a sub-dependency of refractor.

What to review

Anything jumps at you as wrong?

Testing

All tests should pass

Notes for release

Thanks to @chuttam for the initial raising of this in #9322

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
page-building-studio	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 24, 2025 11:42am
performance-studio	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 24, 2025 11:42am
test-studio	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 24, 2025 11:42am

3 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
e2e-studio	⬜️ Ignored (Inspect)			Jul 24, 2025 11:42am
studio-workshop	⬜️ Ignored (Inspect)	Visit Preview		Jul 24, 2025 11:42am
test-next-studio	⬜️ Ignored (Inspect)			Jul 24, 2025 11:42am

[github-actions]

No changes to documentation

[github-actions]

⚡️ Editor Performance Report

Updated Thu, 24 Jul 2025 12:26:02 GMT

Benchmark	reference latency of sanity@latest	experiment latency of this branch	Δ (%) latency difference
article (title)	19.8 efps (51ms)	22.5 efps (45ms)	-6ms (-11.9%)	✅
article (body)	16.8 efps (60ms)	16.1 efps (62ms)	+3ms (+4.5%)	✅
article (string inside object)	20.6 efps (49ms)	20.8 efps (48ms)	-1ms (-1.0%)	✅
article (string inside array)	17.9 efps (56ms)	18.3 efps (55ms)	-2ms (-2.7%)	✅
recipe (name)	37.7 efps (27ms)	38.5 efps (26ms)	-1ms (-1.9%)	✅
recipe (description)	41.7 efps (24ms)	41.7 efps (24ms)	+0ms (-/-%)	✅
recipe (instructions)	99.9+ efps (7ms)	99.9+ efps (9ms)	+2ms (-/-%)	✅
synthetic (title)	15.6 efps (64ms)	16.5 efps (61ms)	-4ms (-5.5%)	✅
synthetic (string inside object)	15.4 efps (65ms)	16.7 efps (60ms)	-5ms (-7.7%)	✅

efps — editor "frames per second". The number of updates assumed to be possible within a second.

Derived from input latency. efps = 1000 / input_latency

Detailed information

🏠 Reference result

The performance result of sanity@latest

Benchmark	latency	p75	p90	p99	blocking time	test duration
article (title)	51ms	55ms	69ms	172ms	542ms	11.7s
article (body)	60ms	97ms	117ms	382ms	1360ms	11.1s
article (string inside object)	49ms	52ms	58ms	364ms	433ms	8.2s
article (string inside array)	56ms	63ms	75ms	249ms	677ms	9.0s
recipe (name)	27ms	32ms	35ms	84ms	8ms	7.7s
recipe (description)	24ms	27ms	30ms	210ms	11ms	5.9s
recipe (instructions)	7ms	47ms	54ms	98ms	0ms	4.2s
synthetic (title)	64ms	65ms	69ms	81ms	1239ms	13.3s
synthetic (string inside object)	65ms	69ms	80ms	502ms	1933ms	10.2s

🧪 Experiment result

The performance result of this branch

Benchmark	latency	p75	p90	p99	blocking time	test duration
article (title)	45ms	53ms	66ms	164ms	269ms	11.7s
article (body)	62ms	97ms	136ms	270ms	1788ms	12.3s
article (string inside object)	48ms	55ms	66ms	108ms	390ms	8.4s
article (string inside array)	55ms	62ms	77ms	392ms	1030ms	9.2s
recipe (name)	26ms	28ms	35ms	94ms	28ms	7.8s
recipe (description)	24ms	28ms	50ms	227ms	6ms	6.0s
recipe (instructions)	9ms	46ms	58ms	74ms	4ms	4.2s
synthetic (title)	61ms	62ms	71ms	372ms	1589ms	14.0s
synthetic (string inside object)	60ms	65ms	83ms	540ms	1834ms	10.0s

📚 Glossary

column definitions

• benchmark — the name of the test, e.g. "article", followed by the label of the field being measured, e.g. "(title)".
• latency — the time between when a key was pressed and when it was rendered. derived from a set of samples. the median (p50) is shown to show the most common latency.
• p75 — the 75th percentile of the input latency in the test run. 75% of the sampled inputs in this benchmark were processed faster than this value. this provides insight into the upper range of typical performance.
• p90 — the 90th percentile of the input latency in the test run. 90% of the sampled inputs were faster than this. this metric helps identify slower interactions that occurred less frequently during the benchmark.
• p99 — the 99th percentile of the input latency in the test run. only 1% of sampled inputs were slower than this. this represents the worst-case scenarios encountered during the benchmark, useful for identifying potential performance outliers.
• blocking time — the total time during which the main thread was blocked, preventing user input and UI updates. this metric helps identify performance bottlenecks that may cause the interface to feel unresponsive.
• test duration — how long the test run took to complete.

[github-actions]

🧪 E2E Preview environment

🔑 Environment Variables for Local Testing

This is the preview URL for the E2E tests: https://e2e-studio-d1t2kzhed.sanity.dev

To run the E2E tests locally, you can use the following environment variables, then run pnpm test:e2e --ui to open the Playwright test runner.

💬 Remember to build the project first with pnpm build:e2e.

  SANITY_E2E_PROJECT_ID=ittbm412
  SANITY_E2E_BASE_URL=https://e2e-studio-d1t2kzhed.sanity.dev
  SANITY_E2E_DATASET="update depending the project you want to test (pr-10068-chromium-16495757216 || pr-10068-firefox-16495757216 )"
  SANITY_E2E_DATASET_CHROMIUM=pr-10068-chromium-16495757216
  SANITY_E2E_DATASET_FIREFOX=pr-10068-firefox-16495757216

[github-actions]

📊 Playwright Test Report

Download Full E2E Report

This report contains test results, including videos of failing tests.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	refractor@​5.0.0
	@​sanity/​ui@​3.0.0
	react-refractor@​4.0.0

View full report

[pkg-pr-new]

create-sanity

npm i https://pkg.pr.new/sanity-io/sanity/create-sanity@10068

groq

npm i https://pkg.pr.new/sanity-io/sanity/groq@10068

sanity

npm i https://pkg.pr.new/sanity-io/sanity@10068

@sanity/cli

npm i https://pkg.pr.new/sanity-io/sanity/@sanity/cli@10068

@sanity/codegen

npm i https://pkg.pr.new/sanity-io/sanity/@sanity/codegen@10068

@sanity/diff

npm i https://pkg.pr.new/sanity-io/sanity/@sanity/diff@10068

@sanity/migrate

npm i https://pkg.pr.new/sanity-io/sanity/@sanity/migrate@10068

@sanity/mutator

npm i https://pkg.pr.new/sanity-io/sanity/@sanity/mutator@10068

@sanity/schema

npm i https://pkg.pr.new/sanity-io/sanity/@sanity/schema@10068

@sanity/types

npm i https://pkg.pr.new/sanity-io/sanity/@sanity/types@10068

@sanity/util

npm i https://pkg.pr.new/sanity-io/sanity/@sanity/util@10068

@sanity/vision

npm i https://pkg.pr.new/sanity-io/sanity/@sanity/vision@10068

commit: b59b477

[stipsan]

Looks good to 🚀

[Fakerko]

Guys, not sure if the problem is related, but when I try to run sanity schema extract --path=./sanity/extract.json && sanity typegen generate I get an error due to react-refractor.

Error [ERR_REQUIRE_ESM]: require() of ES Module /Users/<user>/work/<folder>/<folder>/node_modules/.pnpm/[email protected][email protected]/node_modules/react-refractor/dist/index.js from /Users/<folder>/work/<folder>/<folder>/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected]_@[email protected]_@_2c6f8bcc2f06de922587043141241c9b/node_modules/sanity/lib/index.js not supported.
Instead change the require of /Users/<folder>/work/<folder>/<folder>/node_modules/.pnpm/[email protected][email protected]/node_modules/react-refractor/dist/index.js in /Users/<folder>/work/<folder>/<folder>/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected]_@[email protected]_@_2c6f8bcc2f06de922587043141241c9b/node_modules/sanity/lib/index. js to a dynamic import() which is available in all CommonJS modules.
 at Object.<anonymous> (~/work/<folder>/<folder>/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected]_@[email protected]_@_2c6f8bcc2f06de922587043141241c9b/node_modules/sanity/lib/index.js:5:4031)
ELIFECYCLE Command failed with exit code 1.

[NicholasG04]

Guys, not sure if the problem is related, but when I try to run sanity schema extract --path=./sanity/extract.json && sanity typegen generate I get an error due to react-refractor.

Error [ERR_REQUIRE_ESM]: require() of ES Module /Users/<user>/work/<folder>/<folder>/node_modules/.pnpm/[email protected][email protected]/node_modules/react-refractor/dist/index.js from /Users/<folder>/work/<folder>/<folder>/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected]_@[email protected]_@_2c6f8bcc2f06de922587043141241c9b/node_modules/sanity/lib/index.js not supported.
Instead change the require of /Users/<folder>/work/<folder>/<folder>/node_modules/.pnpm/[email protected][email protected]/node_modules/react-refractor/dist/index.js in /Users/<folder>/work/<folder>/<folder>/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected]_@[email protected]_@_2c6f8bcc2f06de922587043141241c9b/node_modules/sanity/lib/index. js to a dynamic import() which is available in all CommonJS modules.
 at Object.<anonymous> (~/work/<folder>/<folder>/node_modules/.pnpm/[email protected]_@[email protected]_@[email protected]_@[email protected]_@_2c6f8bcc2f06de922587043141241c9b/node_modules/sanity/lib/index.js:5:4031)
ELIFECYCLE Command failed with exit code 1.

Fix for me was bumping to node 20

[Fakerko]

I tried Node version 20 and 22, but still the same error.

[stipsan]

@Fakerko what version of node 20 and 22 did you try? It should work on 20.19 or later, or 22.12 or later 🙌

[Fakerko]

That's it! I had the old version. Thanks a lot!