chore(deps): bump dompurify from 3.3.2 to 3.4.0 in /libs/designer-ui

[dependabot]

Bumps dompurify from 3.3.2 to 3.4.0.

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

Commits

• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

📊 Coverage check completed. See workflow run for details.

[github-actions]

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

✅ PR Title

• Current: chore(deps): bump dompurify from 3.3.2 to 3.4.0 in /libs/designer-ui
• Issue: None — title is clear, conventional, and describes the change.
• Recommendation: Keep as-is.

---

❌ Commit Type

• The PR body does not follow the repository PR template. The "Commit Type" checklist is not present/filled in the PR description.
• Note: For dependency bumps the appropriate commit type is usually chore (and your title already uses chore).
• Recommendation: Select a single commit type in the PR body (e.g., - [x] chore). If multiple types apply, explain in the description why.

---

❌ Risk Level

• Assessment: Missing. The PR body did not include the Risk Level checklist.
• Labels: I inspected the PR labels — present labels are javascript and dependencies. There is NO risk:low, risk:medium, or risk:high label on this PR.
• Advised Risk: risk:medium — rationale: this is an update to DOMPurify, a security-sensitive sanitization library. The 3.4.0 release contains several security and mXSS/prototype-pollution fixes; while the diff only touches package.json, behavioral/security changes in a sanitizer can have meaningful impact on rendered UI and security posture.
• Recommendation: Add a risk label matching the PR body (e.g., add label risk:medium) and update the PR Risk Level checklist to select "Medium" with a short justification (see suggested wording below).

---

❌ What & Why

• Current: (Missing — PR body is Dependabot generated release notes, not the project's PR template fields.)
• Issue: The repository expects a short "What & Why" section explaining the change in the requested format.
• Recommendation: Add a short summary, for example:
  • "What: Bump dompurify from 3.3.2 to 3.4.0 in libs/designer-ui.\n - Why: Pulls in fixes for several security issues (mXSS, prototype pollution) and bug fixes; keeps dependency up to date."

---

❌ Impact of Change

• Issue: Missing the Impact section required by the template.
• Recommendation (copy/edit this into the PR):
  • Users: No direct UI changes expected. Potentially safer sanitization of user-supplied HTML; however, verify there are no regressions in existing sanitized content behavior.
  • Developers: Dependency upgrade in libs/designer-ui; run yarn/npm install and ensure no build/test failures.
  • System: Minimal performance impact expected. Security posture improved due to fixes included in DOMPurify 3.4.0.

---

❌ Test Plan

• Assessment: No unit tests or E2E tests were added/updated in this PR. The code diff only updates libs/designer-ui/package.json.
• Issue: The PR template requires a Test Plan. The repository's instructions say: "If no unit tests are added and no E2E tests are added and there's no explanation as to why then fail the this whole check entirely." Because this is a security-sensitive dependency upgrade and there is no test plan or explanation, I am failing this check.
• Recommendation: Add one of the following to the Test Plan section of the PR body:

  • If you added tests: list the tests and the files changed. (Not applicable here.)

  • If no tests were added: provide a clear manual testing plan and a justification for why automated tests weren’t required. Example steps:

    1. Run yarn install in repo root and yarn workspace @your-scope/designer-ui test (or the appropriate test command). Confirm all unit tests pass.
    2. Build the designer UI: yarn build (or repo-specific build command) and smoke-test the app.
    3. Manually exercise any UI components that use DOMPurify (e.g., editor/preview components) and ensure sanitized HTML renders as before. Include specific pages/components to exercise.
    4. Run security scanning tools (Snyk/Dependabot warnings/OWASP zap where applicable) and report results.

  • If you believe no testing is necessary, explain why (e.g., only a dev-only dependency with no runtime usage — but please verify and state that).

---

⚠️ Contributors

• Assessment: The PR body has no Contributors section in the required template. The Dependabot description is acceptable for automated updates, but please add a short contributors note or leave blank if none.
• Recommendation: Add Contributors with dependabot[bot] and any reviewers who helped, or a short note acknowledging the Dependabot automation.

---

⚠️ Screenshots/Videos

• Assessment: Not applicable for this non-visual change. This is fine to leave blank.

---

Summary Table

Section	Status	Recommendation
Title	✅	Keep the current title
Commit Type	❌	Select chore in the PR body
Risk Level	❌	Add risk:medium label and select Medium in the PR body with justification
What & Why	❌	Add a short What & Why section describing the dependency bump and reasons
Impact of Change	❌	Fill out Users/Developers/System impact bullet points as suggested
Test Plan	❌	Add unit/E2E tests or a clear manual test plan and justification
Contributors	⚠️	Add a short contributors acknowledgment (Dependabot) or leave blank with note
Screenshots/Videos	⚠️	Not required for this change

---

Final Notes & Suggested Edits (copy/paste to update the PR body):

1. At top of PR body add the required template and mark values, e.g.:

## Commit Type
- [ ] feature
- [ ] fix
- [ ] refactor
- [ ] perf
- [ ] docs
- [ ] test
- [x] chore

## Risk Level
- [ ] Low
- [x] Medium
- [ ] High

## What & Why
- What: Bump dompurify from 3.3.2 to 3.4.0 in libs/designer-ui.
- Why: Includes security fixes (mXSS, prototype pollution mitigations) and bug fixes; keeps dependency up to date.

## Impact of Change
- **Users:** No direct UI changes expected. Potentially safer sanitization; verify rendering.
- **Developers:** Run install/build locally; update lockfile if necessary.
- **System:** Minimal perf impact; improved security posture.

## Test Plan
- [ ] Unit tests added/updated
- [ ] E2E tests added/updated
- [x] Manual testing completed

Manual testing steps:
1. Install dependencies and run unit tests: `yarn && yarn test` (or repo-specific commands) — confirm pass.
2. Build designer-ui and smoke-test pages/components using DOMPurify.
3. Verify sample inputs containing HTML are sanitized and rendered correctly across affected components.
4. Run `npm audit`/security scanner and report results.

2. Add the repository risk label (e.g., risk:medium) to the PR so the CI/automation and reviewers can see the selected risk.

3. If you intentionally did not add any tests, explain why in the Test Plan and include a short manual verification checklist as shown above.

4. Optional: mention dependabot[bot] in Contributors or leave that section blank with a note.

---

Summary: This PR's title is fine, but the PR body does not follow the required template: commit type, risk level, What & Why, Impact, and Test Plan are missing or incomplete. Also the PR currently lacks a risk label. Because DOMPurify is security-sensitive and the release notes mention security fixes, I advise risk:medium. Please update the PR body using the suggested text above, add the risk label risk:medium, and add/describe testing steps (or tests) and then re-submit.

Thank you!

---

Last updated: Thu, 16 Apr 2026 04:03:27 GMT