Skip to content

fix(deps): update studiocms dependencies#1539

Merged
Adammatthiesen merged 2 commits into
mainfrom
renovate/studiocms-studiocms-dependencies
Jul 11, 2026
Merged

fix(deps): update studiocms dependencies#1539
Adammatthiesen merged 2 commits into
mainfrom
renovate/studiocms-studiocms-dependencies

Conversation

@renovate

@renovate renovate Bot commented Mar 23, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@iconify-json/simple-icons ^1.2.74^1.2.89 age confidence
@nanostores/i18n ^1.2.2^1.3.3 age confidence
@nanostores/persistent ^1.3.3^1.3.4 age confidence
ace-builds ^1.43.6^1.44.0 age confidence
dompurify ^3.3.3^3.4.11 age confidence
fuse.js (source) ^7.1.0^7.4.2 age confidence
jose ^6.2.1^6.2.3 age confidence
magicast ^0.5.2^0.5.3 age confidence
nanostores ^1.2.0^1.4.0 age confidence
web-vitals ^5.1.0^5.3.0 age confidence

Release Notes

nanostores/i18n (@​nanostores/i18n)

v1.3.3

Compare Source

v1.3.2

Compare Source

v1.3.1

Compare Source

v1.3.0

Compare Source

nanostores/persistent (@​nanostores/persistent)

v1.3.4

Compare Source

  • Fixed persistentBoolean cross tab synchronization (by @​dettogatto).
ajaxorg/ace-builds (ace-builds)

v1.44.0

Compare Source

Features
Bug Fixes
  • mode type to accept both SyntaxMode and string across definitions and implementations (#​5925) (a6b1cb1)
  • row calculation for fractional coords in virtual_renderer (#​5914) (a6724b7)
1.43.6 (2026-01-23)
Bug Fixes
1.43.5 (2025-12-02)
1.43.4 (2025-10-17)
Bug Fixes
1.43.3 (2025-09-02)
Bug Fixes
1.43.2 (2025-07-15)
Features
1.43.1 (2025-07-02)
Bug Fixes
1.42.1 (2025-06-20)
Features
cure53/DOMPurify (dompurify)

v3.4.11: DOMPurify 3.4.11

Compare Source

  • Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
  • Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
  • Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
  • Updated up the linting tool-chain and removed now-redundant lint directives
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible

v3.4.10: DOMPurify 3.4.10

Compare Source

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

v3.4.9: DOMPurify 3.4.9

Compare Source

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

v3.4.8: DOMPurify 3.4.8

Compare Source

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

v3.4.7: DOMPurify 3.4.7

Compare Source

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

v3.4.6: DOMPurify 3.4.6

Compare Source

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible

v3.4.5: DOMPurify 3.4.5

Compare Source

  • Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

v3.4.4: DOMPurify 3.4.4

Compare Source

  • Added the selectedcontent element to default allow-list, thanks @​lukewarlow
  • Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
  • Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
  • Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
  • Updated demo website and made sure it uses the latest from main
  • Updated existing workflows, fuzzer, dependabot, etc., added more tests
  • Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

v3.4.3: DOMPurify 3.4.3

Compare Source

  • Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
  • Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
  • Updated the node iteration code to catch more Shadow DOM related issues
  • Updated Playwright and added Node 26 to test matrix
  • Updated existing workflows, fuzzer, release signing, etc., added more tests
  • Bumped several dependencies where possible

v3.4.2: DOMPurify 3.4.2

Compare Source

  • Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
  • Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
  • Updated existing workflows, fuzzer, release signing, etc., added more tests
  • Bumped several dependencies where possible

v3.4.1: DOMPurify 3.4.1

Compare Source

  • Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
  • Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
  • Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
  • Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
  • Removed a duplicate slot entry from the default HTML attribute allow-list
  • Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
  • Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
  • Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

v3.4.0: DOMPurify 3.4.0

Compare Source

Most relevant changes:

  • Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
  • Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
  • Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
  • Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
  • Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
  • Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
  • Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
  • Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
  • Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
  • Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
  • Fixed a problem with the type dentition patcher after Node version bump
  • Fixed freezing BS runs by reducing the tested browsers array
  • Bumped several dependencies where possible
  • Added needed files for OpenSSF scorecard checks

Published Advisories are here:
https://github.com/cure53/DOMPurify/security/advisories?state=published

krisk/Fuse (fuse.js)

v7.4.2

Compare Source

v7.4.1

Compare Source

v7.4.0

Compare Source

v7.3.0

Compare Source

Features
  • add BigInt support for indexing and search (0ae662c), closes #​814
  • add static Fuse.match() for single string matching (460eb5b)
  • add token search — per-term fuzzy matching with IDF scoring (68c1dcf)
  • getFn null return, escaped pipe in extended search, empty query returns all (d33b735), closes #​800 #​765 #​728
  • removeAt() now returns the removed item (8cec7e2), closes #​675
  • search: support keyless string entries in logical queries (8695556), closes #​736
Bug Fixes
  • index: coerce non-string array values to strings during indexing (db0e181), closes #​738
  • index: strip getFn from keys in toJSON() for safe serialization (0f2a69b), closes #​798
  • lint: suppress unused var in toJSON destructure (d63c0e8)
  • merge overlapping match indices in extended search (06c5e97)
  • search: handle non-decomposable diacritics in stripDiacritics (5a01f29), closes home-assistant/frontend#30399 #​816
  • search: handle quoted tokens with inner spaces and quotes in extended search (c226523), closes #​810
  • search: inverse patterns now work correctly across multiple keys (9351882), closes #​712

v7.2.0

Compare Source

Features
  • add Fuse.use() for runtime plugin registration (8546a9b)
Performance
  • inline Bitap score computation to reduce object allocation in hot loops (8546a9b)
  • batch removeAll for O(n) bulk removes instead of O(n*k) (8546a9b)
  • heap-based top-k selection when limit is set (8546a9b)
  • cache compiled searcher for repeated queries (8546a9b)
Bug Fixes
  • search: deduplicate and merge overlapping match indices (60c393a), closes #​735
  • search: preserve original array indices in nested path traversal (a1451be), closes #​786
  • types: correct key type in FuseSortFunctionMatch (fecee16), closes #​811
  • types: correct keys type in parseIndex parameter (58c7c73), closes #​794
panva/jose (jose)

v6.2.3

Compare Source

Refactor
  • cleanly reject invalid PBES2 p2c (0cdb851)

v6.2.2

Compare Source

Fixes
  • reject failed decompression with JWEInvalid error (043b181)
unjs/magicast (magicast)

v0.5.3

Compare Source

   🚀 Features
    View changes on GitHub
nanostores/nanostores (nanostores)

v1.4.0

Compare Source

  • Added batch to run one re-render on many stores changes (by @​psd-coder).
  • Added listening base key for nested mutation to listenKeys (by @​ifo123).
  • Fixed getPath throwing on null intermediate values (by @​chatman-media).
  • Fixed listenKeys on the whole set changes (by @​LeSingh1).
  • Fixed resetting computed cache on cleanStores (by @​ATOM00blue).

v1.3.0

Compare Source

  • Added globalThis.nanostoresGlobal to sync stores in JS bundles (by @​afurm).
GoogleChrome/web-vitals (web-vitals)

v5.3.0

Compare Source

  • Remove getFirstHiddenTimePolyfill
    (#​729)
  • Fixed issue where the same configuration object to multiple metric functions can result in errors
    (#​731)
  • Add more robust interactionTarget setting for INP
    (#​744)

v5.2.0

Compare Source

  • Replace filter()[0] with find() for better performance (#​658)
  • Use queueMicrotask for microtask scheduling (#​660)
  • Simplify the event and LoAF entry clean up logic (#​662)
  • Remove obsolete FID polyfill types (#​675)
  • Use LargestContentfulPaint.id as fallback when element is removed from DOM (#​676)
  • Fix bug for onLCP when attached late (#​697)
  • FHandle initially hidden pages and onLCP registered on visibility change (#​698)
  • Ensure we clear idle callbacks in whenIdleOrHidden (#​707)
  • Limit pending events to conserve memory (#​710)
  • Add includeProcessedEventEntries option (#​714)
  • Reduce bundle size by refactoring (#​713)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner March 23, 2026 01:11
@changeset-bot

changeset-bot Bot commented Mar 23, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 3062137

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
studiocms Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions

github-actions Bot commented Mar 23, 2026

Copy link
Copy Markdown
Contributor

Allure Test Report for this PR:

Allure Report | History

@codecov

codecov Bot commented Mar 23, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@pkg-pr-new

pkg-pr-new Bot commented Mar 23, 2026

Copy link
Copy Markdown
create-studiocms

npm i https://pkg.pr.new/create-studiocms@1539

effectify

npm i https://pkg.pr.new/effectify@1539

studiocms

npm i https://pkg.pr.new/studiocms@1539

@studiocms/auth0

npm i https://pkg.pr.new/@studiocms/auth0@1539

@studiocms/blog

npm i https://pkg.pr.new/@studiocms/blog@1539

@studiocms/cloudinary-image-service

npm i https://pkg.pr.new/@studiocms/cloudinary-image-service@1539

@studiocms/devapps

npm i https://pkg.pr.new/@studiocms/devapps@1539

@studiocms/discord

npm i https://pkg.pr.new/@studiocms/discord@1539

@studiocms/github

npm i https://pkg.pr.new/@studiocms/github@1539

@studiocms/google

npm i https://pkg.pr.new/@studiocms/google@1539

@studiocms/html

npm i https://pkg.pr.new/@studiocms/html@1539

@studiocms/markdoc

npm i https://pkg.pr.new/@studiocms/markdoc@1539

@studiocms/markdown-remark

npm i https://pkg.pr.new/@studiocms/markdown-remark@1539

@studiocms/md

npm i https://pkg.pr.new/@studiocms/md@1539

@studiocms/mdx

npm i https://pkg.pr.new/@studiocms/mdx@1539

@studiocms/s3-storage

npm i https://pkg.pr.new/@studiocms/s3-storage@1539

@studiocms/upgrade

npm i https://pkg.pr.new/@studiocms/upgrade@1539

@studiocms/wysiwyg

npm i https://pkg.pr.new/@studiocms/wysiwyg@1539

@withstudiocms/api-spec

npm i https://pkg.pr.new/@withstudiocms/api-spec@1539

@withstudiocms/auth-kit

npm i https://pkg.pr.new/@withstudiocms/auth-kit@1539

@withstudiocms/cli-kit

npm i https://pkg.pr.new/@withstudiocms/cli-kit@1539

@withstudiocms/component-registry

npm i https://pkg.pr.new/@withstudiocms/component-registry@1539

@withstudiocms/config-utils

npm i https://pkg.pr.new/@withstudiocms/config-utils@1539

@withstudiocms/effect

npm i https://pkg.pr.new/@withstudiocms/effect@1539

@withstudiocms/internal_helpers

npm i https://pkg.pr.new/@withstudiocms/internal_helpers@1539

@withstudiocms/kysely

npm i https://pkg.pr.new/@withstudiocms/kysely@1539

@withstudiocms/sdk

npm i https://pkg.pr.new/@withstudiocms/sdk@1539

@withstudiocms/template-lang

npm i https://pkg.pr.new/@withstudiocms/template-lang@1539

commit: 3062137

@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch from a15a2de to d357244 Compare March 26, 2026 09:08
@renovate renovate Bot changed the title fix(deps): update dependency jose to ^6.2.2 fix(deps): update studiocms dependencies Mar 26, 2026
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 3 times, most recently from 185a9b4 to 0c62d3a Compare April 3, 2026 08:36
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 3 times, most recently from 3ada17f to ad39028 Compare April 10, 2026 06:09
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 7 times, most recently from 1da8066 to 08c8a3a Compare April 22, 2026 09:46
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 4 times, most recently from 79b1aaf to c09ce50 Compare April 30, 2026 17:18
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 2 times, most recently from 5edd950 to 0492b0f Compare May 9, 2026 04:49
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 4 times, most recently from 7ed4881 to 196558e Compare May 16, 2026 13:24
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 3 times, most recently from 80d1957 to 72ccf29 Compare May 22, 2026 06:07
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 6 times, most recently from 13e1abd to c24c6da Compare June 2, 2026 22:48
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 5 times, most recently from 5b976c2 to 026752f Compare June 11, 2026 06:57
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 2 times, most recently from 1b4aa7f to 0aac2d9 Compare June 16, 2026 00:14
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 2 times, most recently from a4685ce to dae509b Compare June 25, 2026 05:48
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch 2 times, most recently from 333f60d to 4369391 Compare July 2, 2026 17:40
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch from 4369391 to f61c277 Compare July 8, 2026 08:35
@renovate renovate Bot force-pushed the renovate/studiocms-studiocms-dependencies branch from f61c277 to 4408465 Compare July 11, 2026 04:03
@renovate

renovate Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@Adammatthiesen Adammatthiesen merged commit cefc168 into main Jul 11, 2026
30 checks passed
@Adammatthiesen Adammatthiesen deleted the renovate/studiocms-studiocms-dependencies branch July 11, 2026 04:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant