chore(deps): bump dompurify from 3.3.2 to 3.4.0

[dependabot]

Bumps dompurify from 3.3.2 to 3.4.0.

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

Commits

• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

✅ PR Title

• Current: chore(deps): bump dompurify from 3.3.2 to 3.4.0
• Issue: None — title is clear and follows conventional style for a dependency bump.
• Recommendation: Keep as-is. (Good to include the dependency and versions as you did.)

---

❌ Commit Type

• Missing commit-type selection in the required PR body template.
• Note: The PR body must include the Commit Type checklist from the template. For this change, select chore (since this is a dependency bump).
• Recommendation: Add the Commit Type section and check - [x] chore - Maintenance/tooling.

---

❌ Risk Level

• No risk level selected in the PR body AND there is no risk:... label on the PR.
• Assessment: You must select exactly one risk level in the PR body (Low / Medium / High) and add a matching label risk:low, risk:medium, or risk:high.
• Recommendation: Based on the diff (dompurify bump from 3.3.2 -> 3.4.0; includes security fixes such as mXSS and prototype-pollution fixes), I advise Medium. Please add the Risk Level section and the label risk:medium to the PR.

---

❌ What & Why

• Current: (Missing — PR body contains Dependabot release notes but not the required concise "What & Why" block from the template.)

• Issue: The PR body must include a brief context: what changed and why it was done, in a single short paragraph.

• Recommendation: Replace or prepend the Dependabot notes with a short What & Why. Example to paste into the PR body:

  "## What & Why\nThis PR upgrades dompurify from 3.3.2 to 3.4.0 to pick up several bug and security fixes (including fixes related to prototype pollution and possible re-contextualization mXSS). This is a dependency maintenance bump to keep sanitization library up-to-date and address known issues."

---

❌ Impact of Change

• Issue: The PR body does not include the Impact of Change section.
• Recommendation: Add the Impact of Change section with three short bullets. Example:
  • Users: No visible user-facing UI changes expected. Sanitation behavior may be slightly hardened for certain edge cases.
  • Developers: Ensure any custom DOMPurify configuration (ADD_TAGS/ADD_ATTR/CUSTOM_ELEMENT_HANDLING) still behaves as expected; verify code paths that rely on DOMPurify's config.
  • System: No expected performance regressions; this is a minor dependency upgrade. Please run a quick smoke test of flows that render/sanitize HTML.

---

❌ Test Plan

• Assessment: Incomplete. The PR includes only package.json and lockfile changes and contains NO unit or e2e tests. The provided PR body does not explain testing performed.

• Issue (hard fail): The repository's PR template requires that changes to dependencies that affect security or sanitization must include either: unit tests, E2E tests, or a clear manual-testing justification. This PR adds a security-relevant dependency (dompurify) and has no tests or rationale for no-tests.

• Recommendation: Do one of the following and document it in the Test Plan section of the PR body:

  • Add/Update unit tests or E2E tests that exercise the code paths relying on DOMPurify, OR
  • If you cannot add tests in this PR: Add a clear manual test plan with steps to validate (e.g., run CI, run the app and verify sanitized content rendering for sample inputs, smoke tests for pages that render HTML). Example test-plan snippet:
    "## Test Plan\n- CI: All pipeline checks must pass.\n- Manual: Sanity check local app pages that sanitize user-provided HTML (Editor pages, previews). Validate that sanitized HTML renders and that no console errors occur.\n- If any custom DOMPurify config is used, validate those code paths."

  If you cannot reasonably add tests in this PR, explicitly explain why and provide the manual test steps — otherwise this check must fail.

---

⚠️ Contributors

• Assessment: Empty. Dependabot PRs are fine to leave blank, but it's helpful to acknowledge contributors.
• Recommendation: Optionally add a small Contributors section (e.g., Dependabot (automated) and any reviewers).

---

⚠️ Screenshots/Videos

• Assessment: Not applicable (no UI changes). If any visual behavior related to sanitization is affected, include screenshots; otherwise it's optional.
• Recommendation: Leave blank or add screenshots only if you observe visible changes.

---

Summary Table

Section	Status	Recommendation
Title	✅	Keep as-is.
Commit Type	❌	Add - [x] chore in the Commit Type checklist.
Risk Level	❌	Add - [x] Medium in the Risk Level section and label risk:medium.
What & Why	❌	Add a short "What & Why" paragraph (example provided).
Impact of Change	❌	Add Users/Developers/System bullets (example provided).
Test Plan	❌	Add unit/E2E tests or a clear manual test plan; CI must pass.
Contributors	⚠️	Optionally add contributors (e.g., Dependabot).
Screenshots/Videos	⚠️	Not required for this PR unless visual changes are observed.

---

Final notes & required actions

• This PR does NOT pass the PR body/template validation check. Please update the PR body to include the required sections from the template (Commit Type, Risk Level, What & Why, Impact of Change, Test Plan). Use the example snippets above.
• Add a risk label to the PR. My advised risk level is: Medium. Please add the label risk:medium so labels and body match.
• Because this dependency is a sanitization library (dompurify) with security-relevant fixes, document your test plan: either add tests (preferred) or provide a clear manual testing checklist and run CI. Without tests or a justification the change should not be approved.

Please update the PR body with the requested sections and the risk:medium label, then re-submit or request a re-check. Thank you for keeping dependencies up to date and for adding the missing metadata to the PR!

---

Last updated: Thu, 16 Apr 2026 03:36:21 GMT

[github-actions]

📊 Coverage Check

No source files changed in this PR.