[PR #994] [CLOSED] Bump dompurify from 3.3.3 to 3.4.0 in /frontend in the npm_and_yarn group across 1 directory #1150

New issue

Closed

opened 2026-05-07 00:16:18 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented 2026-05-07 00:16:18 +02:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/maziggy/bambuddy/pull/994
Author: @dependabot[bot]
Created: 4/16/2026
Status: ❌ Closed

Base: main ← Head: dependabot/npm_and_yarn/frontend/npm_and_yarn-2a73d1bbcf

---

📝 Commits (1)

• 7208af6 Bump dompurify in /frontend in the npm_and_yarn group across 1 directory

📊 Changes

2 files changed (+6 additions, -5 deletions)

View changed files

📝 frontend/package-lock.json (+5 -4)
📝 frontend/package.json (+1 -1)

📄 Description

Bumps the npm_and_yarn group with 1 update in the /frontend directory: dompurify.

Updates dompurify from 3.3.3 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

Commits

• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/maziggy/bambuddy/pull/994 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 4/16/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `dependabot/npm_and_yarn/frontend/npm_and_yarn-2a73d1bbcf` --- ### 📝 Commits (1) - [`7208af6`](https://github.com/maziggy/bambuddy/commit/7208af6c8f2b767ac1bfda7e17c2ee4a257097b4) Bump dompurify in /frontend in the npm_and_yarn group across 1 directory ### 📊 Changes **2 files changed** (+6 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `frontend/package-lock.json` (+5 -4) 📝 `frontend/package.json` (+1 -1) </details> ### 📄 Description Bumps the npm_and_yarn group with 1 update in the /frontend directory: [dompurify](https://github.com/cure53/DOMPurify). Updates `dompurify` from 3.3.3 to 3.4.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cure53/DOMPurify/releases">dompurify's releases</a>.</em></p> <blockquote> <h2>DOMPurify 3.4.0</h2> <p><strong>Most relevant changes:</strong></p> <ul> <li>Fixed a problem with <code>FORBID_TAGS</code> not winning over <code>ADD_TAGS</code>, thanks <a href="https://github.com/kodareef5"><code>@​kodareef5</code></a></li> <li>Fixed several minor problems and typos regarding MathML attributes, thanks <a href="https://github.com/DavidOliver"><code>@​DavidOliver</code></a></li> <li>Fixed <code>ADD_ATTR</code>/<code>ADD_TAGS</code> function leaking into subsequent array-based calls, thanks <a href="https://github.com/1Jesper1"><code>@​1Jesper1</code></a></li> <li>Fixed a missing <code>SAFE_FOR_TEMPLATES</code> scrub in <code>RETURN_DOM</code> path, thanks <a href="https://github.com/bencalif"><code>@​bencalif</code></a></li> <li>Fixed a prototype pollution via <code>CUSTOM_ELEMENT_HANDLING</code>, thanks <a href="https://github.com/trace37labs"><code>@​trace37labs</code></a></li> <li>Fixed an issue with <code>ADD_TAGS</code> function form bypassing <code>FORBID_TAGS</code>, thanks <a href="https://github.com/eddieran"><code>@​eddieran</code></a></li> <li>Fixed an issue with <code>ADD_ATTR</code> predicates skipping URI validation, thanks <a href="https://github.com/christos-eth"><code>@​christos-eth</code></a></li> <li>Fixed an issue with <code>USE_PROFILES</code> prototype pollution, thanks <a href="https://github.com/christos-eth"><code>@​christos-eth</code></a></li> <li>Fixed an issue leading to possible mXSS via Re-Contextualization, thanks <a href="https://github.com/researchatfluidattacks"><code>@​researchatfluidattacks</code></a> and others</li> <li>Fixed an issue with closing tags leading to possible mXSS, thanks <a href="https://github.com/frevadiscor"><code>@​frevadiscor</code></a></li> <li>Fixed a problem with the type dentition patcher after Node version bump</li> <li>Fixed freezing BS runs by reducing the tested browsers array</li> <li>Bumped several dependencies where possible</li> <li>Added needed files for OpenSSF scorecard checks</li> </ul> <p><strong>Published Advisories are here:</strong> <a href="https://github.com/cure53/DOMPurify/security/advisories?state=published">https://github.com/cure53/DOMPurify/security/advisories?state=published</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cure53/DOMPurify/commit/5b16e0b892e82b1779d62b9928b43c4c4ff290b9"><code>5b16e0b</code></a> Getting 3.x branch ready for 3.4.0 release (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1250">#1250</a>)</li> <li>See full diff in <a href="https://github.com/cure53/DOMPurify/compare/3.3.3...3.4.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/maziggy/bambuddy/network/alerts). </details> --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

BreizhHardware 2026-05-07 00:16:18 +02:00

• closed this issue
• added the
  pull-request
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

github-repo-stats

bug-report-assets

dev

0.2.4b3

0.2.4b2

0.2.4b1

pr/1114

0.2.3.2

0.2.3.1

0.2.3

0.2.3b3

0.2.3b2

0.2.3b1

0.2.2.2

0.2.2.1

0.2.2b3

0.2.2

0.2.2b2

0.2.2b1

0.2.1.1

0.2.1

0.2.1b3

0.2.1b2

0.2.1b

0.2.0

0.2.0b

0.1.5-2-ctrl

v0.2.4b4-daily.20260508

v0.2.4b2

v0.2.4b3

v0.2.4b1

v0.2.3.2

v0.2.3.1

v0.2.3

v0.2.3b3

v0.2.3b2

v0.2.3b1-daily.20260407

v0.2.3b1

v0.2.2.2

v0.2.2.1

v0.2.3b1-daily.20260318

v0.2.3b1-daily.20260317

v0.2.3b1-daily.20260316

v0.2.2

v0.2.2b4-daily.20260314

v0.2.2b4-daily.20260313

v0.2.2b3-daily.20260312

v0.2.2b3-1

v0.2.2b2

v0.2.2-b2

v0.2.2b3

v0.2.2-b1

v0.2.2b1

v0.2.1.1

v0.2.1

v0.2.1b3

v0.2.1b2

v0.2.1b

v0.2.0

v0.1.9

v0.1.8.1

v0.1.8

v0.1.7

v0.1.6.2

v0.1.6.1

v0.1.6-hotfix

v0.1.6

v0.1.6b11

v0.1.6b10

v0.1.6b9

v0.1.6b8

v0.1.6b7

v0.1.6b6

v0.1.6b5

v0.1.6b4

v0.1.6b3

v0.1.6b2

v0.1.6b

v0.1.5-final

v0.1.5b7

v0.1.5b6

v0.1.5b5

v0.1.5b4

v0.1.5b3

v0.1.5b2

v0.1.5b

v0.1.4

v0.1.3

v0.1.2-bugfix

v0.1.2-final

v0.1.2

0.1.1

Labels

Clear labels   

A1

  

automated

  

automated

  

bug

  

bug

  

Closed due to inactivity

  

contrib

  

dependencies

  

dependencies

  

duplicate

  

enhancement

  

feedback

  

hold

  

invalid

  

Notes

  

P1S

  

pull-request

Mirrored from GitHub Pull Request

  

security

  

ThumbsUp

  

user-report

  

wontfix

No labels

A1

automated

automated

bug

bug

Closed due to inactivity

contrib

dependencies

dependencies

duplicate

enhancement

feedback

hold

invalid

Notes

P1S

pull-request

security

ThumbsUp

user-report

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/bambuddy-maziggy-1#1150

No description provided.