Skip to content

chore(deps): bump dompurify from 3.4.5 to 3.4.7 in /src in the npm-runtime group across 1 directory#111

Merged
F0RLE merged 1 commit into
nightlyfrom
dependabot/npm_and_yarn/src/nightly/npm-runtime-c39dc3ffc3
May 29, 2026
Merged

chore(deps): bump dompurify from 3.4.5 to 3.4.7 in /src in the npm-runtime group across 1 directory#111
F0RLE merged 1 commit into
nightlyfrom
dependabot/npm_and_yarn/src/nightly/npm-runtime-c39dc3ffc3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 28, 2026
edited
Loading

Bumps the npm-runtime group with 1 update in the /src directory: dompurify.

Updates dompurify from 3.4.5 to 3.4.7

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible
Commits

@dependabot dependabot Bot added dependencies Dependency updates and lockfile maintenance security Security fixes, advisories, and hardening labels May 28, 2026
@dependabot dependabot Bot requested a review from F0RLE as a code owner May 28, 2026 07:46
@dependabot dependabot Bot added dependencies Dependency updates and lockfile maintenance security Security fixes, advisories, and hardening labels May 28, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 28, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/dompurify 3.4.7 🟢 9.7
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool🟢 10update tool detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices🟢 5badge detected: Passing
SAST🟢 10SAST tool is run on all commits
Signed-Releases🟢 105 out of the last 5 releases have a total of 10 signed artifacts.
Fuzzing🟢 10project is fuzzed
License🟢 10license file detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 40 contributing companies or organizations

Scanned Files

  • src/package-lock.json

@dependabot
chore(deps): bump dompurify
201f2db 
Bumps the npm-runtime group with 1 update in the /src directory: [dompurify](https://github.com/cure53/DOMPurify).


Updates `dompurify` from 3.4.5 to 3.4.7
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.5...3.4.7)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.4.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-runtime
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump dompurify from 3.4.5 to 3.4.7 in /src in the npm-runtime group chore(deps): bump dompurify from 3.4.5 to 3.4.7 in /src in the npm-runtime group across 1 directory May 29, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/src/nightly/npm-runtime-c39dc3ffc3 branch from 07e5594 to 201f2db Compare May 29, 2026 14:41
@F0RLE F0RLE merged commit 25644e5 into nightly May 29, 2026
5 checks passed
@F0RLE F0RLE deleted the dependabot/npm_and_yarn/src/nightly/npm-runtime-c39dc3ffc3 branch May 29, 2026 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@F0RLE F0RLE Awaiting requested review from F0RLE F0RLE is a code owner

Assignees

No one assigned

Labels

dependencies Dependency updates and lockfile maintenance security Security fixes, advisories, and hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@F0RLE