Skip to content

chore(deps): bump dompurify from 3.4.0 to 3.4.9#9291

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dompurify-3.4.9
Closed

chore(deps): bump dompurify from 3.4.0 to 3.4.9#9291
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dompurify-3.4.9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor

Bumps dompurify from 3.4.0 to 3.4.9.

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.9

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible

DOMPurify 3.4.5

  • Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

  • Added the selectedcontent element to default allow-list, thanks @​lukewarlow
  • Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
  • Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
  • Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
  • Updated demo website and made sure it uses the latest from main
  • Updated existing workflows, fuzzer, dependabot, etc., added more tests
  • Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

  • Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
  • Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
  • Updated the node iteration code to catch more Shadow DOM related issues
  • Updated Playwright and added Node 26 to test matrix
  • Updated existing workflows, fuzzer, release signing, etc., added more tests
  • Bumped several dependencies where possible

DOMPurify 3.4.2

... (truncated)

Commits
Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump dompurify from 3.4.0 to 3.4.9
7e1df05 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.4.0 to 3.4.9.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.0...3.4.9)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.4.9
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 17, 2026
Copilot AI review requested due to automatic review settings June 17, 2026 05:46
@dependabot dependabot Bot added javascript Pull requests that update javascript code dependencies Pull requests that update a dependency file labels Jun 17, 2026
Copilot AI reviewed Jun 17, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: chore(deps): bump dompurify from 3.4.0 to 3.4.9
  • Issue: None — this is a clear, high-quality dependency update title.
  • Recommendation: No change needed.

Commit Type

  • Properly selected as a dependency maintenance change (chore).
  • Only one commit type should be selected; this PR appears compliant.

⚠️ Risk Level

  • The PR body does not visibly show the selected risk checkbox, and the labels on the PR only include dependencies and javascript — there is no risk:low, risk:medium, or risk:high label present.
  • Based on the diff, this is a dependency bump with security-relevant package changes, so medium is an appropriate advised risk level.
  • Recommendation: Add the required risk label, e.g. risk:medium, and ensure the PR body’s Risk Level checkbox matches it.

What & Why

  • Current: Bumps dompurify from 3.4.0 to 3.4.9.
  • Issue: Brief but acceptable for a Dependabot PR.
  • Recommendation: Optional improvement: mention the security/stability motivation, e.g. Upgrade dompurify to 3.4.9 to pick up upstream security and Trusted Types handling fixes.

⚠️ Impact of Change

  • The impact section is effectively left blank. That is common for automated dependency bumps, but it would be better to explicitly note the scope.
  • Recommendation:
    • Users: No expected user-facing behavior change; dependency update only.
    • Developers: Affects packages that consume dompurify directly; verify sanitizer behavior remains unchanged.
    • System: Low operational impact; lockfile updated only.

Test Plan

  • The diff contains dependency-only changes and no application code changes.
  • Per the PR template, no automated tests are required for non-code changes, so the test plan passes.

⚠️ Contributors

  • No contributors section was filled in. This is not required, but if anyone assisted or requested the change, it would be good to acknowledge them.
  • Recommendation: Add contributors only if applicable; otherwise this can remain blank.

Screenshots/Videos

  • Not applicable for a dependency update.
  • No action needed.

Summary Table

Section Status Recommendation
Title None
Commit Type None
Risk Level ⚠️ Add the required risk:medium label and match the PR body
What & Why Optional: mention security/stability motivation
Impact of Change ⚠️ Fill in a brief dependency-update impact summary
Test Plan None
Contributors ⚠️ Add only if applicable
Screenshots/Videos None

Final assessment: the PR passes. The advised risk level is medium, which is higher than the risk labeling shown in the PR metadata because no risk:* label is present. Please add the required risk label and, if desired, tighten the Impact of Change section for clarity.

Last updated: Wed, 17 Jun 2026 05:46:30 GMT

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

📊 Coverage check completed. See workflow run for details.

@dependabot @github

dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #9298.

@dependabot dependabot Bot closed this Jun 19, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/dompurify-3.4.9 branch June 19, 2026 07:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code pr-validated

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant