fix(server): harden docs API path resolution for doc content

[JuliaMV]

Problem

Snyk SAST (Javascript/Pt, CWE-23): req.body.name from POST /get-doc-content and POST /save-doc-content was joined into a filesystem path for readFileSync / writeFileSync in server/api/docs.ts. The previous check (includes('public/docs/content/')) is not a reliable path containment guarantee.

Root cause

User-controlled name was combined with the docs content directory using path.join and a substring check, which does not strictly prove the resolved path stays under the intended folder (and is weaker than path.resolve + path.relative).

Fix

• Introduce docsContentDir via path.resolve(__dirname, '../../../public/docs/content').
• Add resolveDocJsonPath(name) using path.relative(docsContentDir, resolvedPath) and reject when the relative path starts with .. or is absolute; reject missing/non-string name.
• Use this helper for both get-doc-content and save-doc-content (dev-only write path unchanged aside from validation).

Files: server/api/docs.ts

How to verify

• cd server && yarn build
• Run the docs server; call the doc content APIs with a normal doc id and with traversal-like name values; expect errors / no read outside public/docs/content for invalid names.

Affected areas for QA

• Affected: Node documentation server (server/), routes that load/save doc JSON under public/docs/content.
• Not affected: Published @epam/uui packages or main library bundles.
• Smoke-test: Docs flows that load or save doc content via these APIs (if used in your setup).

[github-actions]

Generated by: track-bundle-size
Generated at: Fri, 10 Apr 2026 14:45:19 GMT
Bundle size diff (in kBytes). Not gzipped. Both CSS & JS included.
Baseline: v6.3.1 (2025-12-03)
CI Status: ok

Module	Baseline Size (v6.3.1)	Size	Diff	Within Threshold	Threshold (min - max)
templateApp	693.09	684.57	-8.52 js:-6.19 css:-2.33	🆗	623.78 - 762.39
@epam/app	5586.96	5524.51	-62.45 js:-62.82 css:+0.37	🆗	5028.26 - 6145.65
@epam/electric	5.04	5.04	0 js:0 css:0	🆗	4.53 - 5.54
@epam/promo	55.61	55.57	-0.05 js:0 css:-0.05	🆗	50.05 - 61.17
@epam/uui-extra	0.21	0.21	0 js:0 css:0	🆗	0.19 - 0.23
@epam/loveship	92.81	96.24	+3.44 js:+3.48 css:-0.05	🆗	83.53 - 102.09
@epam/uui-components	257.49	260.7	+3.2 js:+1.68 css:+1.52	🆗	231.75 - 283.25
@epam/uui-core	324.75	329.08	+4.33 js:+4.33 css:0	🆗	292.27 - 357.23
@epam/uui-db	41.63	41.72	+0.08 js:+0.08 css:0	🆗	37.47 - 45.8
@epam/uui-docs	181.03	194.76	+13.74 js:+13.75 css:0	🆗	162.92 - 199.13
@epam/uui-editor	174.1	172.5	-1.6 js:-1.6 css:+0	🆗	156.69 - 191.51
@epam/uui-timeline	75.5	75.49	-0.01 js:0 css:0	🆗	67.95 - 83.05
@epam/uui	527.51	548.3	+20.8 js:+4.14 css:+16.66	🆗	474.76 - 580.26

new sizes (raw)

To set the sizes as a new baseline, you can copy/paste next content to the uui-build/config/bundleSizeBaseLine.json and commit the file.

{
  "version": "6.4.4",
  "timestamp": "2026-04-10",
  "sizes": {
    "templateApp": {
      "css": 255089,
      "js": 445908
    },
    "@epam/app": {
      "css": 720897,
      "js": 4936203
    },
    "@epam/electric": {
      "css": 2275,
      "js": 2883
    },
    "@epam/promo": {
      "css": 47756,
      "js": 9145
    },
    "@epam/uui-extra": {
      "css": 0,
      "js": 213
    },
    "@epam/loveship": {
      "css": 55330,
      "js": 43225
    },
    "@epam/uui-components": {
      "css": 25157,
      "js": 241794
    },
    "@epam/uui-core": {
      "css": 0,
      "js": 336983
    },
    "@epam/uui-db": {
      "css": 0,
      "js": 42718
    },
    "@epam/uui-docs": {
      "css": 2152,
      "js": 197287
    },
    "@epam/uui-editor": {
      "css": 12954,
      "js": 163688
    },
    "@epam/uui-timeline": {
      "css": 2199,
      "js": 75104
    },
    "@epam/uui": {
      "css": 215800,
      "js": 345665
    }
  }
}

---

Generated by: generate-components-api
CI Status: ok

Total amount of exported types/props without JSDoc comments

	Amount
Types	338 (+0) 🆗
Props	220 (+0) 🆗