ampmod/aw3
4
2
Fork
You've already forked aw3
1

chore(deps): update dependency dompurify to v3.4.11 #69

Open
ampmod-bot wants to merge 1 commit from renovate/dompurify-3.x-lockfile into develop
pull from: renovate/dompurify-3.x-lockfile
merge into: ampmod:develop
ampmod:develop
ampmod:renovate/tailwindcss-monorepo
ampmod:renovate/vite-8.x
ampmod:renovate/eslint-plugin-svelte-3.x-lockfile
ampmod:renovate/lucide-monorepo
ampmod:renovate/inlang-paraglide-js-2.x-lockfile
ampmod:renovate/aws-sdk-js-v3-monorepo
ampmod:renovate/vitest-monorepo
ampmod:renovate/simplewebauthn-server-13.x-lockfile
ampmod:renovate/iconify-json-2.x-lockfile

This PR contains the following updates:

Package Change Age Confidence
dompurify 3.4.03.4.11 age confidence

Release Notes

cure53/DOMPurify (dompurify)

v3.4.11: DOMPurify 3.4.11

Compare Source

  • Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
  • Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
  • Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
  • Updated up the linting tool-chain and removed now-redundant lint directives
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible

v3.4.10: DOMPurify 3.4.10

Compare Source

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

v3.4.9: DOMPurify 3.4.9

Compare Source

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

v3.4.8: DOMPurify 3.4.8

Compare Source

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

v3.4.7: DOMPurify 3.4.7

Compare Source

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

v3.4.6: DOMPurify 3.4.6

Compare Source

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible

v3.4.5: DOMPurify 3.4.5

Compare Source

  • Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

v3.4.4: DOMPurify 3.4.4

Compare Source

  • Added the selectedcontent element to default allow-list, thanks @​lukewarlow
  • Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
  • Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
  • Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
  • Updated demo website and made sure it uses the latest from main
  • Updated existing workflows, fuzzer, dependabot, etc., added more tests
  • Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

v3.4.3: DOMPurify 3.4.3

Compare Source

  • Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
  • Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
  • Updated the node iteration code to catch more Shadow DOM related issues
  • Updated Playwright and added Node 26 to test matrix
  • Updated existing workflows, fuzzer, release signing, etc., added more tests
  • Bumped several dependencies where possible

v3.4.2: DOMPurify 3.4.2

Compare Source

  • Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
  • Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
  • Updated existing workflows, fuzzer, release signing, etc., added more tests
  • Bumped several dependencies where possible

v3.4.1: DOMPurify 3.4.1

Compare Source

  • Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
  • Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
  • Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
  • Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
  • Removed a duplicate slot entry from the default HTML attribute allow-list
  • Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
  • Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
  • Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [dompurify](https://github.com/cure53/DOMPurify) | [`3.4.0` → `3.4.11`](https://renovatebot.com/diffs/npm/dompurify/3.4.0/3.4.11) | ![age](https://developer.mend.io/api/mc/badges/age/npm/dompurify/3.4.11?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/dompurify/3.4.0/3.4.11?slim=true) | --- ### Release Notes <details> <summary>cure53/DOMPurify (dompurify)</summary> ### [`v3.4.11`](https://github.com/cure53/DOMPurify/releases/tag/3.4.11): DOMPurify 3.4.11 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.10...3.4.11) - Fixed an issue with a leaky config for hooks via `setConfig`, thanks [@&#8203;trace37labs](https://github.com/trace37labs) - Bumped vulnerable development dependencies to arrive at plain 0 with `npm audit` - Updated the `osv-scanner` suppression list as no vulnerable dependencies are left for now - Updated up the linting tool-chain and removed now-redundant lint directives - Updated the documentation is several spots, README, wiki, etc. - Bumped several dependencies where possible ### [`v3.4.10`](https://github.com/cure53/DOMPurify/releases/tag/3.4.10): DOMPurify 3.4.10 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.9...3.4.10) - Refactored codebase for clarity: extracted the public type declarations into `types.ts` - Decomposed the three largest sanitizer functions into focused helpers - Removed duplicated defaults and dead branches, consolidated `SAFE_FOR_TEMPLATES` scrubbing into single shared path - Improved per-node performance by hoisting the mXSS probe regexes and testing `textContent` before `innerHTML` - Added a deterministic micro-benchmark harness (`npm run bench`) with a `--compare` mode - Reduced CI cost by running the full three-engine browser suite once per PR - Refreshed the `demos/` folder so every demo runs again, and added a SVG-via-`<img>` demo - Documented the bench and `test:happydom` scripts in the README - Completed the Attack Classes & Bypass History wiki page - Bumped several dependencies where possible ### [`v3.4.9`](https://github.com/cure53/DOMPurify/releases/tag/3.4.9): DOMPurify 3.4.9 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.8...3.4.9) - Further improved the handling of Trusted Types config options, thanks [@&#8203;offset](https://github.com/offset) - Further improved the handling of `IN_PLACE` sanitization, thanks [@&#8203;mozfreddyb](https://github.com/mozfreddyb) - Added more test coverage for `IN_PLACE` and Trusted Types related usage - Bumped several dependencies where possible - Updated README and wiki with more accurate documentation & attack samples ### [`v3.4.8`](https://github.com/cure53/DOMPurify/releases/tag/3.4.8): DOMPurify 3.4.8 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.7...3.4.8) - Cleaned up the repository root, renamed some and removed unneeded files - Fixed an issue with handling of Trusted Types policies, thanks [@&#8203;fulstadev](https://github.com/fulstadev) - Fixed the node iterator for better template scrubbing, thanks [@&#8203;IamLeandrooooo](https://github.com/IamLeandrooooo) - Included formerly missing LICENSE-MPL in published npm package, thanks [@&#8203;asamuzaK](https://github.com/asamuzaK) - Bumped several dependencies where possible ### [`v3.4.7`](https://github.com/cure53/DOMPurify/releases/tag/3.4.7): DOMPurify 3.4.7 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.6...3.4.7) - Hardened the handling of Shadow Roots when using `IN_PLACE`, thanks [@&#8203;GameZoneHacker](https://github.com/GameZoneHacker) - Removed a problem leading to permanent hook pollution, thanks [@&#8203;offset](https://github.com/offset) - Refactored the test suite and expanded test coverage significantly ### [`v3.4.6`](https://github.com/cure53/DOMPurify/releases/tag/3.4.6): DOMPurify 3.4.6 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.5...3.4.6) - Fixed several issues with DOM Clobbering in `IN_PLACE` mode, thanks [@&#8203;offset](https://github.com/offset) & [@&#8203;Bankde](https://github.com/Bankde) - Hardened the checks for cross-realm `IN_PLACE` and Shadow DOM sanitization, thanks [@&#8203;offset](https://github.com/offset) & [@&#8203;Bankde](https://github.com/Bankde) - Added more test coverage for `IN_PLACE` and general DOM Clobbering attacks - Bumped several dependencies where possible ### [`v3.4.5`](https://github.com/cure53/DOMPurify/releases/tag/3.4.5): DOMPurify 3.4.5 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.4...3.4.5) - Fixed a bypass caused by the new HTML element `selectedcontent` added in 3.4.4, thanks [@&#8203;KabirAcharya](https://github.com/KabirAcharya) **Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.** ### [`v3.4.4`](https://github.com/cure53/DOMPurify/releases/tag/3.4.4): DOMPurify 3.4.4 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.3...3.4.4) - Added the `selectedcontent` element to default allow-list, thanks [@&#8203;lukewarlow](https://github.com/lukewarlow) - Added the `command` and `commandfor` attributes to default allowed-list, thanks [@&#8203;lukewarlow](https://github.com/lukewarlow) - Added better template scrubbing for `IN_PLACE` operations, thanks [@&#8203;DEMON1A](https://github.com/DEMON1A) - Added stronger checks for cross-realm windows, thanks [@&#8203;DEMON1A](https://github.com/DEMON1A) & [@&#8203;fg0x0](https://github.com/fg0x0) - Updated demo website and made sure it uses the latest from main - Updated existing workflows, fuzzer, dependabot, etc., added more tests - Bumped several dependencies where possible 🚨 **This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead** 🚨 ### [`v3.4.3`](https://github.com/cure53/DOMPurify/releases/tag/3.4.3): DOMPurify 3.4.3 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.2...3.4.3) - Fixed an issue with handling of nested Shadow DOM trees, thanks [@&#8203;fishjojo1](https://github.com/fishjojo1) - Fixed the template regexes to be more robust against ReDoS attacks, thanks [@&#8203;aleung27](https://github.com/aleung27) - Updated the node iteration code to catch more Shadow DOM related issues - Updated Playwright and added Node 26 to test matrix - Updated existing workflows, fuzzer, release signing, etc., added more tests - Bumped several dependencies where possible ### [`v3.4.2`](https://github.com/cure53/DOMPurify/releases/tag/3.4.2): DOMPurify 3.4.2 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.1...3.4.2) - Fixed an issue with URI validation on attributes allowed via `ADD_ATTR` callback, thanks [@&#8203;nelstrom](https://github.com/nelstrom) - Fixed an issue with source maps referring to non-existing files, thanks [@&#8203;cmdcolin](https://github.com/cmdcolin) - Updated existing workflows, fuzzer, release signing, etc., added more tests - Bumped several dependencies where possible ### [`v3.4.1`](https://github.com/cure53/DOMPurify/releases/tag/3.4.1): DOMPurify 3.4.1 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.0...3.4.1) - Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (`font-face`, `color-profile`, `missing-glyph`, `font-face-src`, `font-face-uri`, `font-face-format`, `font-face-name`) under permissive `CUSTOM_ELEMENT_HANDLING` - Fixed a case-sensitivity gap in the `annotation-xml` check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode - Fixed `SANITIZE_NAMED_PROPS` repeatedly prefixing already-prefixed `id` and `name` values on subsequent sanitization - Fixed the `IN_PLACE` root-node check to explicitly guard against non-string `nodeName` (DOM-clobbering robustness) - Removed a duplicate `slot` entry from the default HTML attribute allow-list - Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for `SANITIZE_NAMED_PROPS`, and a negative-control assertion ensuring the invariants actually fire - Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (`SAFE_FOR_TEMPLATES` greedy scrub, hook-added attribute handling) - Extended CodeQL analysis to run on `3.x` and `2.x` maintenance branches </details> --- ### Configuration 📅 **Schedule**: (in timezone UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjI1NC4wIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCIsImxhYmVscyI6WyJLaW5kL0RlcGVuZGVuY2llcyJdfQ==-->
ampmod-bot force-pushed renovate/dompurify-3.x-lockfile from af260ef1f1
Some checks failed
ci/woodpecker/push/build Pipeline failed
ci/woodpecker/push/renovate Pipeline was successful
to d3d49b2242
Some checks failed
ci/woodpecker/push/build Pipeline failed
ci/woodpecker/push/renovate Pipeline was successful
2026年04月28日 20:56:19 +02:00
Compare
ampmod-bot force-pushed renovate/dompurify-3.x-lockfile from d3d49b2242
Some checks failed
ci/woodpecker/push/build Pipeline failed
ci/woodpecker/push/renovate Pipeline was successful
to 4dd8103b2a
Some checks failed
ci/woodpecker/push/build Pipeline failed
ci/woodpecker/push/renovate Pipeline was successful
2026年04月29日 14:47:00 +02:00
Compare
ampmod-bot force-pushed renovate/dompurify-3.x-lockfile from 4dd8103b2a
Some checks failed
ci/woodpecker/push/build Pipeline failed
ci/woodpecker/push/renovate Pipeline was successful
to ddb21e17d8
Some checks failed
ci/woodpecker/push/build Pipeline failed
ci/woodpecker/push/renovate Pipeline was successful
2026年05月17日 00:31:27 +02:00
Compare
ampmod-bot changed title from (削除) chore(deps): update dependency dompurify to v3.4.1 (削除ここまで) to chore(deps): update dependency dompurify to v3.4.3 2026年05月17日 00:31:28 +02:00
ampmod-bot force-pushed renovate/dompurify-3.x-lockfile from ddb21e17d8
Some checks failed
ci/woodpecker/push/build Pipeline failed
ci/woodpecker/push/renovate Pipeline was successful
to 9df40fd3d5
Some checks failed
ci/woodpecker/push/build Pipeline failed
ci/woodpecker/push/renovate Pipeline was successful
2026年05月28日 21:10:15 +02:00
Compare
ampmod-bot changed title from (削除) chore(deps): update dependency dompurify to v3.4.3 (削除ここまで) to chore(deps): update dependency dompurify to v3.4.7 2026年05月28日 21:10:16 +02:00
ampmod-bot force-pushed renovate/dompurify-3.x-lockfile from 9df40fd3d5
Some checks failed
ci/woodpecker/push/build Pipeline failed
ci/woodpecker/push/renovate Pipeline was successful
to 41a5285a00
Some checks failed
ci/woodpecker/push/build Pipeline failed
ci/woodpecker/push/renovate Pipeline was successful
2026年07月07日 18:16:04 +02:00
Compare
ampmod-bot changed title from (削除) chore(deps): update dependency dompurify to v3.4.7 (削除ここまで) to chore(deps): update dependency dompurify to v3.4.11 2026年07月07日 18:16:07 +02:00
Some checks failed
ci/woodpecker/push/build Pipeline failed
ci/woodpecker/push/renovate Pipeline was successful
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/dompurify-3.x-lockfile:renovate/dompurify-3.x-lockfile
git switch renovate/dompurify-3.x-lockfile

Merge

Merge the changes and update on Forgejo.
git switch develop
git merge --no-ff renovate/dompurify-3.x-lockfile
git switch renovate/dompurify-3.x-lockfile
git rebase develop
git switch develop
git merge --ff-only renovate/dompurify-3.x-lockfile
git switch renovate/dompurify-3.x-lockfile
git rebase develop
git switch develop
git merge --no-ff renovate/dompurify-3.x-lockfile
git switch develop
git merge --squash renovate/dompurify-3.x-lockfile
git switch develop
git merge --ff-only renovate/dompurify-3.x-lockfile
git switch develop
git merge renovate/dompurify-3.x-lockfile
git push origin develop
Sign in to join this conversation.
No reviewers
Labels
Clear labels
BREAKING CHANGE
Breaking change that won't be backward compatible
Kind
Bug
Something is not working
Kind
Dependencies
Bot-authored dependency updates
Kind
Enhancement
Improve existing functionality
Kind
Feature
New functionality
Kind
RFC
Requests for comment
Kind
Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
Status
Reported to Upstream
This has been reported to upstream
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ampmod/aw3!69
Reference in a new issue
ampmod/aw3
No description provided.
Delete branch "renovate/dompurify-3.x-lockfile"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?