Skip to content

fix(deps): update dependency dompurify to v3.2.7 [security]#591

Merged
renovate[bot] merged 1 commit intomainfrom
renovate-npm-dompurify-vulnerability
Mar 5, 2026
Merged

fix(deps): update dependency dompurify to v3.2.7 [security]#591
renovate[bot] merged 1 commit intomainfrom
renovate-npm-dompurify-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 4, 2026

This PR contains the following updates:

Package Change Age Confidence
dompurify 3.2.63.2.7 age confidence

GitHub Vulnerability Alerts

CVE-2025-15599

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

Release Notes

cure53/DOMPurify (dompurify)

v3.2.7: DOMPurify 3.2.7

Compare Source

  • Added new attributes and elements to default allow-list, thanks @​elrion018
  • Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
  • Added better check for animated href attributes, thanks @​llamakko
  • Updated and improved the bundled types, thanks @​ssi02014
  • Updated several tests to better align with new browser encoding behaviors
  • Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
  • Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link

github-actions bot commented Mar 4, 2026

This PR will trigger a patch release when merged.

@codecov
Copy link

codecov bot commented Mar 4, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@renovate renovate bot merged commit c96cb65 into main Mar 5, 2026
8 checks passed
@renovate renovate bot deleted the renovate-npm-dompurify-vulnerability branch March 5, 2026 02:48
github-actions bot pushed a commit that referenced this pull request Mar 5, 2026
@semantic-release-bot
chore(release): 6.4.36 [skip ci]
7b9f88f 
## [6.4.36](v6.4.35...v6.4.36) (2026-03-05)

### Bug Fixes

* **deps:** update dependency dompurify to v3.2.7 [security] ([#591](#591)) ([c96cb65](c96cb65))
@github-actions
Copy link

github-actions bot commented Mar 5, 2026

🎉 This PR is included in version 6.4.36 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants