Update dependency dompurify to v3 [SECURITY]#52
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
March 7, 2025 03:53
fc41f90 to
7adc2be
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
4 times, most recently
from
March 21, 2025 23:37
ae21514 to
b830e34
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
April 4, 2025 07:49
19105db to
fcf12e2
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
April 12, 2025 15:26
ada22fa to
fbb2436
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
May 1, 2025 00:06
70ba753 to
b6cc8ca
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
May 8, 2025 17:30
9f6b4b4 to
6141930
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
3 times, most recently
from
May 22, 2025 19:34
9ba6cc5 to
4dd0ada
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
May 29, 2025 11:35
51ea49d to
afdafee
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
3 times, most recently
from
June 6, 2025 18:14
0e93a02 to
cddcf31
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
June 15, 2025 16:13
491725d to
cf65cca
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
from
June 28, 2025 15:56
cf65cca to
6fdfefe
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
from
July 20, 2025 19:56
6fdfefe to
d839165
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
August 17, 2025 03:43
6e090f7 to
2920e01
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
August 24, 2025 23:16
939b668 to
50016f0
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
from
October 10, 2025 19:40
3fcca16 to
bb10be3
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
October 23, 2025 11:27
4633360 to
e9be26f
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
4 times, most recently
from
November 13, 2025 07:40
b3f190a to
00fae31
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
4 times, most recently
from
November 26, 2025 11:31
82209a9 to
a1c2363
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
December 5, 2025 16:00
3797347 to
6611363
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
4 times, most recently
from
December 16, 2025 08:41
8a94624 to
2c98692
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
January 2, 2026 07:59
74c2a4e to
6094ebc
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
January 10, 2026 10:33
4d9a935 to
583f9bb
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
January 20, 2026 16:09
21f7ca5 to
c0e6d91
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
2 times, most recently
from
February 4, 2026 03:57
15fe446 to
1a57fbd
Compare
renovate
Bot
force-pushed
the
renovate/npm-dompurify-vulnerability
branch
4 times, most recently
from
February 17, 2026 08:13
c4545c5 to
1e6bdee
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^2.0.7→^3.0.0DOMPurify allows Cross-site Scripting (XSS)
CVE-2025-26791 / GHSA-vhxf-7vqr-mrjg
More information
Details
DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).
Severity
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
cure53/DOMPurify (dompurify)
v3.4.12: DOMPurify 3.4.12Compare Source
v3.4.11: DOMPurify 3.4.11Compare Source
setConfig, thanks @trace37labsnpm auditosv-scannersuppression list as no vulnerable dependencies are left for nowv3.4.10: DOMPurify 3.4.10Compare Source
types.tsSAFE_FOR_TEMPLATESscrubbing into single shared pathtextContentbeforeinnerHTMLnpm run bench) with a--comparemodedemos/folder so every demo runs again, and added a SVG-via-<img>demotest:happydomscripts in the READMEv3.4.9: DOMPurify 3.4.9Compare Source
IN_PLACEsanitization, thanks @mozfreddybIN_PLACEand Trusted Types related usagev3.4.8: DOMPurify 3.4.8Compare Source
v3.4.7: DOMPurify 3.4.7Compare Source
IN_PLACE, thanks @GameZoneHackerv3.4.6: DOMPurify 3.4.6Compare Source
IN_PLACEmode, thanks @offset & @BankdeIN_PLACEand Shadow DOM sanitization, thanks @offset & @BankdeIN_PLACEand general DOM Clobbering attacksv3.4.5: DOMPurify 3.4.5Compare Source
selectedcontentadded in 3.4.4, thanks @KabirAcharyaNote that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.
v3.4.4: DOMPurify 3.4.4Compare Source
selectedcontentelement to default allow-list, thanks @lukewarlowcommandandcommandforattributes to default allowed-list, thanks @lukewarlowIN_PLACEoperations, thanks @DEMON1A🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨
v3.4.3: DOMPurify 3.4.3Compare Source
v3.4.2: DOMPurify 3.4.2Compare Source
ADD_ATTRcallback, thanks @nelstromv3.4.1: DOMPurify 3.4.1Compare Source
font-face,color-profile,missing-glyph,font-face-src,font-face-uri,font-face-format,font-face-name) under permissiveCUSTOM_ELEMENT_HANDLINGannotation-xmlcheck that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML modeSANITIZE_NAMED_PROPSrepeatedly prefixing already-prefixedidandnamevalues on subsequent sanitizationIN_PLACEroot-node check to explicitly guard against non-stringnodeName(DOM-clobbering robustness)slotentry from the default HTML attribute allow-listSANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fireSAFE_FOR_TEMPLATESgreedy scrub, hook-added attribute handling)3.xand2.xmaintenance branchesv3.4.0: DOMPurify 3.4.0Compare Source
Most relevant changes:
FORBID_TAGSnot winning overADD_TAGS, thanks @kodareef5ADD_ATTR/ADD_TAGSfunction leaking into subsequent array-based calls, thanks @1Jesper1SAFE_FOR_TEMPLATESscrub inRETURN_DOMpath, thanks @bencalifCUSTOM_ELEMENT_HANDLING, thanks @trace37labsADD_TAGSfunction form bypassingFORBID_TAGS, thanks @eddieranADD_ATTRpredicates skipping URI validation, thanks @christos-ethUSE_PROFILESprototype pollution, thanks @christos-ethPublished Advisories are here:
https://github.com/cure53/DOMPurify/security/advisories?state=published
v3.3.3: DOMPurify 3.3.3Compare Source
v3.3.2: DOMPurify 3.3.2Compare Source
_isValidAttribute, thanks @christos-ethv3.3.1: DOMPurify 3.3.1Compare Source
ADD_FORBID_CONTENTSsetting to extend default list, thanks @MariusRumpfv3.3.0: DOMPurify 3.3.0Compare Source
mask-typeattribute to default allow-list, thanks @prasadrajandranADD_ATTRandADD_TAGSto accept functions, thanks @nelstromslotelement being in both SVG and HTML allow-list, thanks @Wim-Valgaerenv3.2.7: DOMPurify 3.2.7Compare Source
tagNameparameter to custom elementattributeNameCheck, thanks @nelstromhrefattributes, thanks @llamakkov3.2.6: DOMPurify 3.2.6Compare Source
matrix:as an allowed URI scheme, thanks @kleinesfilmroellchenv3.2.5: DOMPurify 3.2.5Compare Source
ALLOWED_URI_REGEXPusing the 'g' flag, thanks @hhk-pngv3.2.4: DOMPurify 3.2.4Compare Source
v3.2.3: DOMPurify 3.2.3Compare Source
v3.2.2: DOMPurify 3.2.2Compare Source
v3.2.1: DOMPurify 3.2.1Compare Source
v3.2.0: DOMPurify 3.2.0Compare Source
v3.1.7: DOMPurify 3.1.7Compare Source
foreignObjectelement from the list of HTML entry-points, thanks @masatokinugawav3.1.6: DOMPurify 3.1.6Compare Source
v3.1.5: DOMPurify 3.1.5Compare Source
bower.js, thanks @HakumenNCv3.1.4: DOMPurify 3.1.4Compare Source
isNaNchecks, thanks @tulachv3.1.3: DOMPurify 3.1.3Compare Source
nodeTypeproperty, thanks @ssi02014v3.1.2: DOMPurify 3.1.2Compare Source
v3.1.1: DOMPurify 3.1.1Compare Source
Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.
v3.1.0: DOMPurify 3.1.0Compare Source
SAFE_FOR_XMLto enable better control over comment scrubbingv3.0.11: DOMPurify 3.0.11Compare Source
v3.0.10: DOMPurify 3.0.10Compare Source
v3.0.9: DOMPurify 3.0.9Compare Source
hasOwnPropertylogic, thanks @ssi02014console.warnmaking HappyDom happier, thanks @HugoPoiv3.0.8: DOMPurify 3.0.8Compare Source
v3.0.7: DOMPurify 3.0.7Compare Source
v3.0.6: DOMPurify 3.0.6Compare Source
v3.0.5: DOMPurify 3.0.5Compare Source
v3.0.4: DOMPurify 3.0.4Compare Source
shadowrootmodwhich should beshadowrootmode, thanks @masatokinugawav3.0.3: DOMPurify 3.0.3Compare Source
TRUSTED_TYPES_POLICYconfiguration option, thanks @dejangfeDropShadowto the SVG filter allow-list, thanks @SelfMadeSystemv3.0.2: DOMPurify 3.0.2Compare Source
ALLOWED_URI_REGEXPnot being reset, thanks @mukilanemprescriptstag to allowed MathML elements, thanks @duyhai94v3.0.1: DOMPurify 3.0.1Compare Source
v3.0.0: DOMPurify 3.0.0Compare Source
ALLOW_SELF_CLOSE_IN_ATTRflag, thanks @edg2s @AndreVirtimoshadowrootmode, thanks @mfreed7NOTE Please use the 2.4.4 release if you still need MSIE support, 3.0.0 comes without the MSIE overhead
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.