From 73ad08f0cf4c45b066ea6c405bc004a5b47915a2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 6 Mar 2026 20:01:40 -0800
Subject: [PATCH] Build(deps): bump dompurify from 3.2.6 to 3.3.2 in the
npm_and_yarn group across 1 directory (#3365)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bumps the npm_and_yarn group with 1 update in the / directory:
[dompurify](https://github.com/cure53/DOMPurify).
Updates `dompurify` from 3.2.6 to 3.3.2
Release notes
Sourced from dompurify's
releases.
DOMPurify 3.3.2
- Fixed a possible bypass caused by jsdom's faulty raw-text tag
parsing, thanks multiple reporters
- Fixed a prototype pollution issue when working with custom elements,
thanks
@christos-eth
- Fixed a lenient config parsing in
_isValidAttribute,
thanks @christos-eth
- Bumped and removed several dependencies, thanks
@Rotzbua
- Fixed the test suite after bumping dependencies, thanks
@Rotzbua
DOMPurify 3.3.1
- Updated
ADD_FORBID_CONTENTS setting to extend default
list, thanks @MariusRumpf
- Updated the ESM import syntax to be more correct, thanks
@binhpv
DOMPurify 3.3.0
- Added the SVG
mask-type attribute to default
allow-list, thanks @prasadrajandran
- Added support for
ADD_ATTR and ADD_TAGS to
accept functions, thanks @nelstrom
- Fixed an issue with the
slot element being in both SVG
and HTML allow-list, thanks @Wim-Valgaeren
DOMPurify 3.2.7
- Added new attributes and elements to default allow-list, thanks
@elrion018
- Added
tagName parameter to custom element
attributeNameCheck, thanks @nelstrom
- Added better check for animated
href attributes, thanks
@llamakko
- Updated and improved the bundled types, thanks
@ssi02014
- Updated several tests to better align with new browser encoding
behaviors
- Improved the handling of potentially risky content inside CDATA
elements, thanks
@securityMB &
@terjanq
- Improved the regular expression for raw-text elements to cover
textareas, thanks
@securityMB &
@terjanq
Commits
5e56114
Getting 3.x branch ready for 3.3.2 release (#1208)e8c95f4
fix: Fixed the broken package-lock.json9636037
Update package-lock.json5cad4ce
Getting 3.x branch ready for 3.3.2 releas (#1205)6fc446a
Merge pull request #1175
from cure53/main3b3bf91
Merge branch 'main' of github.com:cure53/DOMPurify9863f41
chore: Preparing 3.3.1 releaseb4e0295
chore: Preparing 3.3.0 release077746b
build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1170)4de68bb
build(deps): bump actions/checkout from 5 to 6 (#1171)- Additional commits viewable in compare
view
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore ` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/openfrontio/OpenFrontIO/network/alerts).
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
package-lock.json | 11 +++++++----
package.json | 2 +-
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index a8a0849e1..d6da667d9 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -21,7 +21,7 @@
"colord": "^2.9.3",
"colorjs.io": "^0.5.2",
"compression": "^1.8.1",
- "dompurify": "^3.1.7",
+ "dompurify": "^3.3.2",
"dotenv": "^16.5.0",
"ejs": "^3.1.10",
"express": "^4.22.1",
@@ -7034,10 +7034,13 @@
}
},
"node_modules/dompurify": {
- "version": "3.2.6",
- "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.6.tgz",
- "integrity": "sha512-/2GogDQlohXPZe6D6NOgQvXLPSYBqIWMnZ8zzOhn09REE4eyAzb+Hed3jhoM9OkuaJ8P6ZGTTVWQKAi8ieIzfQ==",
+ "version": "3.3.2",
+ "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.2.tgz",
+ "integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==",
"license": "(MPL-2.0 OR Apache-2.0)",
+ "engines": {
+ "node": ">=20"
+ },
"optionalDependencies": {
"@types/trusted-types": "^2.0.7"
}
diff --git a/package.json b/package.json
index 7e0bdd704..4a7b9a473 100644
--- a/package.json
+++ b/package.json
@@ -104,7 +104,7 @@
"colord": "^2.9.3",
"colorjs.io": "^0.5.2",
"compression": "^1.8.1",
- "dompurify": "^3.1.7",
+ "dompurify": "^3.3.2",
"dotenv": "^16.5.0",
"ejs": "^3.1.10",
"express": "^4.22.1",