Skip to content

fix(deps): security bumps for 1 Dependabot alert#292

Open
rtBot wants to merge 1 commit into
mainfrom
deps/security-fixes-2026-06-30
Open

fix(deps): security bumps for 1 Dependabot alert#292
rtBot wants to merge 1 commit into
mainfrom
deps/security-fixes-2026-06-30

Conversation

@rtBot

@rtBot rtBot commented Jun 30, 2026

Copy link
Copy Markdown

Summary

Bumps dompurify to a patched, same-major version in packages/frappe-ui-react to resolve 1 open Dependabot alert.

package old → new alert # severity GHSA
dompurify 3.4.10 → 3.4.11 #48 medium GHSA-cmwh-pvxp-8882

How tested

Lockfile-only update via pnpm update dompurify@3.4.11 --lockfile-only (no full install / build). The direct-dependency specifier was tightened ^3.4.10^3.4.11 so the lock resolves the patched version cleanly. Not built locally — please verify in CI.

Residual risk

Minimal — same-major (3.x) patch bump. No application source touched.

Do not merge until CI is green.

Resolves Dependabot alert #48 (GHSA-cmwh-pvxp-8882). Same-major patch
(3.4.10 -> 3.4.11) via pnpm --lockfile-only; specifier tightened to ^3.4.11.
Copilot AI review requested due to automatic review settings June 30, 2026 11:25

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants