From 31baeacdf4209a8f1f8289d73a7214d4d4b846ab Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 16 Apr 2026 10:50:24 +0100
Subject: [PATCH] Bump dompurify from 3.3.2 to 3.4.0 in the npm_and_yarn group
across 1 directory (#3693)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bumps the npm_and_yarn group with 1 update in the / directory:
[dompurify](https://github.com/cure53/DOMPurify).
Updates `dompurify` from 3.3.2 to 3.4.0
Release notes
Sourced from dompurify's
releases.
DOMPurify 3.4.0
Most relevant changes:
- Fixed a problem with
FORBID_TAGS not winning over
ADD_TAGS, thanks @kodareef5
- Fixed several minor problems and typos regarding MathML attributes,
thanks
@DavidOliver
- Fixed
ADD_ATTR/ADD_TAGS function leaking
into subsequent array-based calls, thanks @1Jesper1
- Fixed a missing
SAFE_FOR_TEMPLATES scrub in
RETURN_DOM path, thanks @bencalif
- Fixed a prototype pollution via
CUSTOM_ELEMENT_HANDLING, thanks @trace37labs
- Fixed an issue with
ADD_TAGS function form bypassing
FORBID_TAGS, thanks @eddieran
- Fixed an issue with
ADD_ATTR predicates skipping URI
validation, thanks @christos-eth
- Fixed an issue with
USE_PROFILES prototype pollution,
thanks @christos-eth
- Fixed an issue leading to possible mXSS via Re-Contextualization,
thanks
@researchatfluidattacks
and others
- Fixed an issue with closing tags leading to possible mXSS, thanks
@frevadiscor
- Fixed a problem with the type dentition patcher after Node version
bump
- Fixed freezing BS runs by reducing the tested browsers array
- Bumped several dependencies where possible
- Added needed files for OpenSSF scorecard checks
Published Advisories are here:
https://github.com/cure53/DOMPurify/security/advisories?state=published
DOMPurify 3.3.3
- Fixed an engine requirement for Node 20 which caused hiccups, thanks
@Rotzbua
Commits
5b16e0b
Getting 3.x branch ready for 3.4.0 release (#1250)8bcbf73
chore: Preparing 3.3.3 release5faddd6
fix: engine requirement (#1210)0f91e3a
Update README.mdd5ff1a8
Merge branch 'main' of github.com:cure53/DOMPurifyc3efd48
fix: moved back from jsdom 28 to jsdom 20988b888
fix: moved back from jsdom 28 to jsdom 202726c74
chore: Preparing 3.3.2 release6202c7e
build(deps): bump @tootallnate/once and jsdom (#1204)302b51d
fix: Expanded the regex ever so slightly to also cover script- Additional commits viewable in compare
view
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore ` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/openfrontio/OpenFrontIO/network/alerts).
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
package-lock.json | 11 ++++-------
package.json | 2 +-
2 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index 411d373fc..b6c2016fb 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -21,7 +21,7 @@
"colord": "^2.9.3",
"colorjs.io": "^0.5.2",
"compression": "^1.8.1",
- "dompurify": "^3.3.2",
+ "dompurify": "^3.4.0",
"dotenv": "^16.5.0",
"ejs": "^3.1.10",
"express": "^5.2.1",
@@ -6966,13 +6966,10 @@
}
},
"node_modules/dompurify": {
- "version": "3.3.2",
- "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.2.tgz",
- "integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==",
+ "version": "3.4.0",
+ "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.0.tgz",
+ "integrity": "sha512-nolgK9JcaUXMSmW+j1yaSvaEaoXYHwWyGJlkoCTghc97KgGDDSnpoU/PlEnw63Ah+TGKFOyY+X5LnxaWbCSfXg==",
"license": "(MPL-2.0 OR Apache-2.0)",
- "engines": {
- "node": ">=20"
- },
"optionalDependencies": {
"@types/trusted-types": "^2.0.7"
}
diff --git a/package.json b/package.json
index aa902e7a2..ffb58ee15 100644
--- a/package.json
+++ b/package.json
@@ -104,7 +104,7 @@
"colord": "^2.9.3",
"colorjs.io": "^0.5.2",
"compression": "^1.8.1",
- "dompurify": "^3.3.2",
+ "dompurify": "^3.4.0",
"dotenv": "^16.5.0",
"ejs": "^3.1.10",
"express": "^5.2.1",