Skip to content

chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.10#590

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/dompurify-=3.3.3-3.x
Open

chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.10#590
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/dompurify-=3.3.3-3.x

Conversation

@renovate

@renovate renovate Bot commented May 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
dompurify@<=3.3.3 >=3.4.0>=3.4.10 age confidence

Release Notes

cure53/DOMPurify (dompurify@<=3.3.3)

v3.4.10: DOMPurify 3.4.10

Compare Source

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

v3.4.9

Compare Source

v3.4.8: DOMPurify 3.4.8

Compare Source

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

v3.4.7: DOMPurify 3.4.7

Compare Source

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

v3.4.6: DOMPurify 3.4.6

Compare Source

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible

v3.4.5

Compare Source

v3.4.4: DOMPurify 3.4.4

Compare Source

  • Added the selectedcontent element to default allow-list, thanks @​lukewarlow
  • Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
  • Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
  • Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
  • Updated demo website and made sure it uses the latest from main
  • Updated existing workflows, fuzzer, dependabot, etc., added more tests
  • Bumped several dependencies where possible

v3.4.3

Compare Source

v3.4.2: DOMPurify 3.4.2

Compare Source

  • Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
  • Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
  • Updated existing workflows, fuzzer, release signing, etc., added more tests
  • Bumped several dependencies where possible

v3.4.1: DOMPurify 3.4.1

Compare Source

  • Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
  • Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
  • Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
  • Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
  • Removed a duplicate slot entry from the default HTML attribute allow-list
  • Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
  • Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
  • Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 9am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 18, 2026
@renovate renovate Bot changed the title chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.4 chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.5 May 18, 2026
@renovate renovate Bot force-pushed the renovate/dompurify-=3.3.3-3.x branch from b247073 to bd0d65c Compare May 18, 2026 09:41
@renovate renovate Bot changed the title chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.5 chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.6 May 26, 2026
@renovate renovate Bot force-pushed the renovate/dompurify-=3.3.3-3.x branch 2 times, most recently from f203913 to ebe3851 Compare May 27, 2026 18:03
@renovate renovate Bot changed the title chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.6 chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.7 May 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.7 chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.8 Jun 3, 2026
@renovate renovate Bot force-pushed the renovate/dompurify-=3.3.3-3.x branch from ebe3851 to aae4d50 Compare June 3, 2026 15:52
@renovate renovate Bot changed the title chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.8 chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.9 Jun 10, 2026
@renovate renovate Bot force-pushed the renovate/dompurify-=3.3.3-3.x branch 2 times, most recently from d752413 to a8ac438 Compare June 11, 2026 17:03
@renovate renovate Bot changed the title chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.9 chore(deps): update dependency dompurify@<=3.3.3 to >=3.4.10 Jun 12, 2026
@renovate renovate Bot force-pushed the renovate/dompurify-=3.3.3-3.x branch from a8ac438 to 24506b3 Compare June 12, 2026 16:52
@sonarqubecloud

sonarqubecloud Bot commented Jun 12, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants