Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency dompurify to v3 [security] #3063

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency dompurify to v3 [security] #3063

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 16, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
dompurify 2.5.8 -> 3.2.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-26791

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

Release Notes

cure53/DOMPurify (dompurify)

v3.2.4: DOMPurify 3.2.4

Compare Source

  • Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
  • Added a new feature to allow specific hook removal, thanks @​davecardwell
  • Added purify.js and purify.min.js to exports, thanks @​Aetherinox
  • Added better logic in case no window object is president, thanks @​yehuya
  • Updated some dependencies called out by dependabot
  • Updated license files etc to show the correct year

v3.2.3: DOMPurify 3.2.3

Compare Source

v3.2.2: DOMPurify 3.2.2

Compare Source

  • Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @​yaniv-git
  • Fixed several minor issues with the type definitions, thanks again @​reduckted
  • Fixed a minor issue with the types reference for trusted types, thanks @​reduckted
  • Fixed a minor problem with the template detection regex on some systems, thanks @​svdb99

v3.2.1

Compare Source

v3.2.0: DOMPurify 3.2.0

Compare Source

v3.1.7: DOMPurify 3.1.7

Compare Source

  • Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
  • Fixed several smaller typos in documentation and test & build files, thanks @​christianhg
  • Added better support for Angular compiler, thanks @​jeroen1602
  • Added several new attributes to HTML and SVG allow-list, thanks @​Gigabyte5671 and @​Rotzbua
  • Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa
  • Bumped several dependencies to be more up to date

v3.1.6: DOMPurify 3.1.6

Compare Source

  • Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
  • Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @​realansgar
  • Fixed a minor problem with the bower file pointing to the wrong dist path
  • Fixed several minor typos in docs, comments and comment blocks, thanks @​Rotzbua
  • Updated several development dependencies

v3.1.5: DOMPurify 3.1.5

Compare Source

  • Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
  • Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

v3.1.4: DOMPurify 3.1.4

Compare Source

  • Fixed an issue with the recently implemented isNaN checks, thanks @​tulach
  • Added several new popover attributes to allow-list, thanks @​Gigabyte5671
  • Fixed the tests and adjusted the test runner to cover all branches

v3.1.3: DOMPurify 3.1.3

Compare Source

  • Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
  • Added better configurability for comment scrubbing default behavior
  • Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
  • Added better handling and readability of the nodeType property, thanks @​ssi02014
  • Fixed some smaller issues in README and other documentation

v3.1.2: DOMPurify 3.1.2

Compare Source

  • Addressed and fixed a mXSS variation found by @​kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions

v3.1.1: DOMPurify 3.1.1

Compare Source

  • Fixed an mXSS sanitiser bypass reported by @​icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

v3.1.0: DOMPurify 3.1.0

Compare Source

  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated README to warn about happy-dom not being safe for use with DOMPurify yet
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies

v3.0.11: DOMPurify 3.0.11

Compare Source

  • Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

v3.0.10: DOMPurify 3.0.10

Compare Source

  • Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser
  • Bumped up some build and test dependencies

v3.0.9: DOMPurify 3.0.9

Compare Source

  • Fixed a problem with proper detection of Custom Elements, thanks @​kevin-mizu
  • Refactored the hasOwnProperty logic, thanks @​ssi02014
  • Removed a superfluous console.warn making HappyDom happier, thanks @​HugoPoi
  • Modernized some of the demo hooks for better looks, thanks @​Steb95

v3.0.8: DOMPurify 3.0.8

Compare Source

  • Fixed errors caused by conditional exports, thanks @​ssi02014
  • Fixed a type error when working with custom element config, thanks @​cpmotion

v3.0.7: DOMPurify 3.0.7

Compare Source

  • Added better protection against CSPP attacks, thanks @​kevin-mizu
  • Updated browser versions for automated tests
  • Updated Node versions for automated tests

v3.0.6: DOMPurify 3.0.6

Compare Source

  • Refactored the core code-base and several utilities, thanks @​ssi02014
  • Updated and fixed several sections of the README, thanks @​ssi02014
  • Updated several outdated build and test dependencies

v3.0.5: DOMPurify 3.0.5

Compare Source

  • Fixed a licensing issue spotted and reported by @​george-thomas-hill
  • Updated several build and test dependencies

v3.0.4: DOMPurify 3.0.4

Compare Source

  • Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN
  • Fixed a typo with shadowrootmod which should be shadowrootmode, thanks @​masatokinugawa

v3.0.3: DOMPurify 3.0.3

Compare Source

  • Added new TRUSTED_TYPES_POLICY configuration option, thanks @​dejang
  • Added feDropShadow to the SVG filter allow-list, thanks @​SelfMadeSystem

v3.0.2: DOMPurify 3.0.2

Compare Source

  • Fixed an issue with ALLOWED_URI_REGEXP not being reset, thanks @​mukilane
  • Added mprescripts tag to allowed MathML elements, thanks @​duyhai94
  • Added SMS URI scheme to allowed URI schemes, tanks @​Kiwka
  • Updated supported browser versions for nicer code and smaller size, thanks @​buzinas

v3.0.1: DOMPurify 3.0.1

Compare Source

  • Fixed a problem with improper reset of custom HTML options, thanks @​ammaraskar

v3.0.0: DOMPurify 3.0.0

Compare Source

  • Removed all code that is for MSIE-only
  • Removed all tests that are for MSIE-only
  • Modified documentation to reflect new state of MSIE support
  • Added support for ALLOW_SELF_CLOSE_IN_ATTR flag, thanks @​edg2s @​AndreVirtimo
  • Added better support for shadowrootmode, thanks @​mfreed7

NOTE Please use the 2.4.4 release if you still need MSIE support, 3.0.0 comes without the MSIE overhead

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the 🤖 Type: Dependencies Dependency updates or something similar label Feb 16, 2025
@renovate renovate bot requested a review from a team as a code owner February 16, 2025 13:45
@vercel Vercel
Copy link

vercel bot commented Feb 16, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
ui-kit ✅ Ready (Inspect) Visit Preview 💬 Add feedback Mar 13, 2025 1:56pm

@renovate renovate bot requested review from stephsprinkle, jaikamat, ddouglasz, tylermorrisford, ByronDWall and misama-ct and removed request for a team February 16, 2025 13:45
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Feb 16, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 6582010

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from f1669ef to f86b96c Compare February 18, 2025 22:50
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from f86b96c to 47ca4d0 Compare February 20, 2025 09:54
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from 47ca4d0 to 674dff3 Compare February 20, 2025 13:55
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from 674dff3 to 9e1a511 Compare February 20, 2025 14:49
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from 9e1a511 to 8bd77c7 Compare February 24, 2025 14:35
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from 8bd77c7 to d734d57 Compare February 27, 2025 20:19
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from d734d57 to a61a670 Compare March 13, 2025 07:55
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from a61a670 to 6582010 Compare March 13, 2025 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stephsprinkle stephsprinkle Awaiting requested review from stephsprinkle stephsprinkle is a code owner automatically assigned from commercetools/first-contact-team-fe

@jaikamat jaikamat Awaiting requested review from jaikamat jaikamat is a code owner automatically assigned from commercetools/first-contact-team-fe

@ddouglasz ddouglasz Awaiting requested review from ddouglasz ddouglasz is a code owner automatically assigned from commercetools/first-contact-team-fe

@tylermorrisford tylermorrisford Awaiting requested review from tylermorrisford tylermorrisford is a code owner automatically assigned from commercetools/first-contact-team-fe

@ByronDWall ByronDWall Awaiting requested review from ByronDWall ByronDWall is a code owner automatically assigned from commercetools/first-contact-team-fe

@misama-ct misama-ct Awaiting requested review from misama-ct misama-ct is a code owner automatically assigned from commercetools/first-contact-team-fe

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
🤖 Type: Dependencies Dependency updates or something similar
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants