[Snyk] Upgrade dompurify from 3.1.7 to 3.2.7 #180
Conversation
Snyk has created this PR to upgrade dompurify from 3.1.7 to 3.2.7. See this package in npm: dompurify See this project in Snyk: https://app.snyk.io/org/cognigy-gmbh/project/1bef01ee-7646-4865-9853-92aa704464b0?utm_source=github&utm_medium=referral&page=upgrade-pr
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Pull Request Overview
This PR upgrades the dompurify dependency from version 3.1.7 to 3.2.7 to address a Cross-site Scripting (XSS) vulnerability and benefit from security fixes, bug fixes, and new features introduced in the newer versions.
- Upgraded dompurify from ^3.0.11 to ^3.2.7 in package.json
- Fixes XSS vulnerability SNYK-JS-DOMPURIFY-8722251 with low severity
- Includes 8 versions of improvements with security enhancements and better handling of potentially risky content
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| "adaptivecards": "2.11.1", | ||
| "classnames": "^2.3.2", | ||
| "dompurify": "^3.0.11", | ||
| "dompurify": "^3.2.7", |
There was a problem hiding this comment.
The version constraint appears inconsistent. The diff shows upgrading from ^3.0.11 but the PR description indicates upgrading from 3.1.7. The package.json should reflect the actual current version being upgraded from to maintain accurate dependency tracking.
| "dompurify": "^3.2.7", | |
| "dompurify": "^3.1.7", |
Snyk has created this PR to upgrade dompurify from 3.1.7 to 3.2.7.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 8 versions ahead of your current version.
The recommended version was released 23 days ago.
This is a minor version upgrade that includes security fixes, bug fixes, and adds new elements to the default allow-list. The release notes between 3.1.7 and 3.2.7 do not indicate any breaking changes.
Source: DOMPurify GitHub Releases
Issues fixed by the recommended upgrade:
SNYK-JS-DOMPURIFY-8722251
Release notes
Package name: dompurify
-
3.2.7 - 2025-09-17
- Added new attributes and elements to default allow-list, thanks @ elrion018
- Added
- Added better check for animated
- Updated and improved the bundled types, thanks @ ssi02014
- Updated several tests to better align with new browser encoding behaviors
- Improved the handling of potentially risky content inside CDATA elements, thanks @ securityMB & @ terjanq
- Improved the regular expression for raw-text elements to cover textareas, thanks @ securityMB & @ terjanq
-
3.2.6 - 2025-05-19
- Fixed several typos and removed clutter from our documentation, thanks @ Rotzbua
- Added
- Added better config hardening against prototype pollution, thanks @ EffectRenan
- Added better handling of attribute removal, thanks @ michalnieruchalski-tiugo
- Added better configuration for aggressive mXSS scrubbing behavior, thanks @ BryanValverdeU
- Removed the script that caused the fake entry CVE-2025-48050
-
3.2.5 - 2025-04-03
- Added a check to the mXSS detection regex to be more strict, thanks @ masatokinugawa
- Added ESM type imports in source, removes patch function, thanks @ donmccurdy
- Added script to verify various TypeScript configurations, thanks @ reduckted
- Added more modern browsers to the Karma launchers list
- Added Node 23.x to tested runtimes, removed Node 17.x
- Fixed the generation of source maps, thanks @ reduckted
- Fixed an unexpected behavior with
- Fixed a few typos in the README file
-
3.2.4 - 2025-01-30
- Fixed a conditional and config dependent mXSS-style bypass reported by @ nsysean
- Added a new feature to allow specific hook removal, thanks @ davecardwell
- Added purify.js and purify.min.js to exports, thanks @ Aetherinox
- Added better logic in case no window object is president, thanks @ yehuya
- Updated some dependencies called out by dependabot
- Updated license files etc to show the correct year
-
3.2.3 - 2024-12-09
- Fixed two conditional sanitizer bypasses discovered by @ parrot409 and @ Slonser
- Updated the attribute clobbering checks to prevent future bypasses, thanks @ parrot409
-
3.2.2 - 2024-11-29
- Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @ Yaniv-git
- Fixed several minor issues with the type definitions, thanks again @ reduckted
- Fixed a minor issue with the types reference for trusted types, thanks @ reduckted
- Fixed a minor problem with the template detection regex on some systems, thanks @ svdb99
-
3.2.1 - 2024-11-20
- Fixed several minor issues with the type definitions, thanks @ reduckted @ ghiscoding @ asamuzaK @ MiniDigger
- Fixed an issue with non-minified dist files and order of imports, thanks @ reduckted
-
3.2.0 - 2024-11-11
- Added type declarations, thanks @ reduckted , @ philmayfield, @ aloisklink, @ ssi02014 and others
- Fixed a minor issue with the handling of hooks, thanks @ kevin-mizu
-
3.1.7 - 2024-09-26
- Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @ masatokinugawa
- Fixed several smaller typos in documentation and test & build files, thanks @ christianhg
- Added better support for Angular compiler, thanks @ jeroen1602
- Added several new attributes to HTML and SVG allow-list, thanks @ Gigabyte5671 and @ Rotzbua
- Removed the
- Bumped several dependencies to be more up to date
from dompurify GitHub release notestagNameparameter to custom elementattributeNameCheck, thanks @ nelstromhrefattributes, thanks @ llamakkomatrix:as an allowed URI scheme, thanks @ kleinesfilmroellchenALLOWED_URI_REGEXPusing the 'g' flag, thanks @ hhk-pngforeignObjectelement from the list of HTML entry-points, thanks @ masatokinugawaImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: