Skip to content

fix(deps): update dependency dompurify to v3.3.2 [security]#592

Merged
renovate[bot] merged 1 commit intomainfrom
renovate-npm-dompurify-vulnerability
Mar 6, 2026
Merged

fix(deps): update dependency dompurify to v3.3.2 [security]#592
renovate[bot] merged 1 commit intomainfrom
renovate-npm-dompurify-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 5, 2026

This PR contains the following updates:

Package Change Age Confidence
dompurify 3.2.73.3.2 age confidence

GitHub Vulnerability Alerts

CVE-2026-0540

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

Release Notes

cure53/DOMPurify (dompurify)

v3.3.2: DOMPurify 3.3.2

Compare Source

  • Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
  • Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
  • Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
  • Bumped and removed several dependencies, thanks @​Rotzbua
  • Fixed the test suite after bumping dependencies, thanks @​Rotzbua

v3.3.1: DOMPurify 3.3.1

Compare Source

  • Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
  • Updated the ESM import syntax to be more correct, thanks @​binhpv

v3.3.0: DOMPurify 3.3.0

Compare Source

  • Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
  • Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
  • Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link

github-actions bot commented Mar 5, 2026

This PR will trigger a patch release when merged.

@codecov
Copy link

codecov bot commented Mar 5, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@renovate renovate bot merged commit 80abcc3 into main Mar 6, 2026
8 checks passed
@renovate renovate bot deleted the renovate-npm-dompurify-vulnerability branch March 6, 2026 03:38
github-actions bot pushed a commit that referenced this pull request Mar 6, 2026
@semantic-release-bot
chore(release): 6.4.38 [skip ci]
0f6d58c 
## [6.4.38](v6.4.37...v6.4.38) (2026-03-06)

### Bug Fixes

* **deps:** update dependency dompurify to v3.3.2 [security] ([#592](#592)) ([80abcc3](80abcc3))
@github-actions
Copy link

github-actions bot commented Mar 6, 2026

🎉 This PR is included in version 6.4.38 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants