Skip to content

Bump dompurify from 3.2.6 to 3.3.3 in /project-templates/node-json-theia#259

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/project-templates/node-json-theia/dompurify-3.3.3
Closed

Bump dompurify from 3.2.6 to 3.3.3 in /project-templates/node-json-theia#259
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/project-templates/node-json-theia/dompurify-3.3.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 28, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps dompurify from 3.2.6 to 3.3.3.

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.3

  • Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

  • Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
  • Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
  • Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
  • Bumped and removed several dependencies, thanks @​Rotzbua
  • Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

  • Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
  • Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

  • Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
  • Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
  • Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

  • Added new attributes and elements to default allow-list, thanks @​elrion018
  • Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
  • Added better check for animated href attributes, thanks @​llamakko
  • Updated and improved the bundled types, thanks @​ssi02014
  • Updated several tests to better align with new browser encoding behaviors
  • Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
  • Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq
Commits
  • 8bcbf73 chore: Preparing 3.3.3 release
  • 5faddd6 fix: engine requirement (#1210)
  • 0f91e3a Update README.md
  • d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
  • c3efd48 fix: moved back from jsdom 28 to jsdom 20
  • 988b888 fix: moved back from jsdom 28 to jsdom 20
  • 2726c74 chore: Preparing 3.3.2 release
  • 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
  • 302b51d fix: Expanded the regex ever so slightly to also cover script
  • cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
Bump dompurify from 3.2.6 to 3.3.3 in /project-templates/node-json-theia
e4bcbbc 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.2.6 to 3.3.3.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.2.6...3.3.3)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.3.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 28, 2026
@tortmayr tortmayr mentioned this pull request Jun 9, 2026
Merged
tortmayr added a commit that referenced this pull request Jun 9, 2026
@tortmayr
Consolidate Dependabot npm updates (#263)
d725ccd 
Regenerate the affected yarn.lock files so all transitive/in-range
dependencies flagged by the open Dependabot PRs are bumped to their
patched (latest in-range) versions, and prune the duplicate/orphan
lock entries left behind by the partial consolidation in #262.

Updated packages (>= the version Dependabot requested):
- handlebars 4.7.9, yaml 2.9.0, flatted 3.4.2, diff 4.0.4/5.2.2,
  picomatch 2.3.2, multer 2.1.1, socket.io-parser 4.2.6,
  basic-ftp 5.3.1 (workflow / project-templates/*)
- dompurify 3.4.8, tar-fs 2.1.4 (node-json-theia)
- axios 1.17.0, qs 6.15.2, ajv 6.15.0, underscore 1.13.8,
  serialize-javascript 6.0.2, webpack 5.107.2 (node-json-vscode)
- ajv 6.15.0, socket.io-parser 4.2.6 (java-emf-theia)
- webpack 5.107.2 (java-emf-eclipse, node-json-theia)

Supersedes #220-#231, #234-#259. All five lockfiles verified with
`yarn install --frozen-lockfile`.
@tortmayr

tortmayr commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot @github

dependabot Bot commented on behalf of github Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

Looks like dompurify is no longer updatable, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 9, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/project-templates/node-json-theia/dompurify-3.3.3 branch June 9, 2026 08:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tortmayr