Skip to content

npm(deps): bump dompurify from 3.4.5 to 3.4.8#2802

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/develop/dompurify-3.4.8
Open

npm(deps): bump dompurify from 3.4.5 to 3.4.8#2802
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/develop/dompurify-3.4.8

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 5, 2026

Bumps dompurify from 3.4.5 to 3.4.8.

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.8

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible
Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
npm(deps): bump dompurify from 3.4.5 to 3.4.8
d1e80e7 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.4.5 to 3.4.8.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.5...3.4.8)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.4.8
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 5, 2026
@dependabot dependabot Bot added the javascript Pull requests that update Javascript code label Jun 5, 2026
@dependabot dependabot Bot mentioned this pull request Jun 5, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daniel-mcadam-nhs daniel-mcadam-nhs Awaiting requested review from daniel-mcadam-nhs daniel-mcadam-nhs is a code owner

@kevinmason-nhs kevinmason-nhs Awaiting requested review from kevinmason-nhs kevinmason-nhs is a code owner

@EdwardWills-nhs EdwardWills-nhs Awaiting requested review from EdwardWills-nhs EdwardWills-nhs is a code owner

@georgeCraftReferrals georgeCraftReferrals Awaiting requested review from georgeCraftReferrals georgeCraftReferrals is a code owner

@csaw-nhs csaw-nhs Awaiting requested review from csaw-nhs csaw-nhs is a code owner

@petkopetkov2 petkopetkov2 Awaiting requested review from petkopetkov2 petkopetkov2 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants