From a62093155ef0a9cb1ba4613b0011178ffefab775 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Tue, 2 Jun 2026 12:13:07 +0200 Subject: [PATCH] chore(deps): bump dompurify override to >=3.4.5 (GHSA-87xg-pxx2-7hvx) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit dompurify@3.4.4 is vulnerable to XSS via the selectedcontent re-clone path (GHSA-87xg-pxx2-7hvx). dompurify is transitive via mermaid; the latest mermaid (11.15.0) declares dompurify@^3.3.1 — that range still permits 3.4.4 so an upstream bump does not move us off the vulnerable version. Add an override matching the existing pattern for axios / tmp / esbuild / etc. Resolved version after install: dompurify@3.4.7. Patch-range bump on a sanitisation-only library — risk minimal. --- package.json | 1 + pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 7792c13..2df61a7 100644 --- a/package.json +++ b/package.json @@ -45,6 +45,7 @@ "axios@<1.15.2": ">=1.15.2", "@angular-devkit/core>ajv@<8.18.0": ">=8.18.0", "brace-expansion@<5.0.6": ">=5.0.6", + "dompurify@<3.4.5": ">=3.4.5", "esbuild@<0.25.0": ">=0.25.0", "follow-redirects@<1.16.0": ">=1.16.0", "ip-address@<10.1.1": ">=10.1.1", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index d747437..f5e2f80 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -8,6 +8,7 @@ overrides: axios@<1.15.2: '>=1.15.2' '@angular-devkit/core>ajv@<8.18.0': '>=8.18.0' brace-expansion@<5.0.6: '>=5.0.6' + dompurify@<3.4.5: '>=3.4.5' esbuild@<0.25.0: '>=0.25.0' follow-redirects@<1.16.0: '>=1.16.0' ip-address@<10.1.1: '>=10.1.1' @@ -6924,9 +6925,8 @@ packages: resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==} engines: {node: '>= 4'} - dompurify@3.4.4: - resolution: {integrity: sha512-r8K7KGKEcztXfA/nfabSYB2hg9tDphORJTdf8xprN/luSLGmNhOBN8dm1/SYjqLLet6YUFEXOcrdTuwryp/Bew==} - deprecated: Fixed a security issue introduced in 3.4.4 + dompurify@3.4.7: + resolution: {integrity: sha512-2jBxDJY4RR06tQNy4w5FlFH7kfxsQZlufd0sbv+chfHCxeJwrFw2baUDsSwvBISD4K4RDbd0PTfy3uNXsR6siA==} domutils@3.2.2: resolution: {integrity: sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==} @@ -19344,7 +19344,7 @@ snapshots: dependencies: domelementtype: 2.3.0 - dompurify@3.4.4: + dompurify@3.4.7: optionalDependencies: '@types/trusted-types': 2.0.7 @@ -21553,7 +21553,7 @@ snapshots: d3-sankey: 0.12.3 dagre-d3-es: 7.0.14 dayjs: 1.11.21 - dompurify: 3.4.4 + dompurify: 3.4.7 es-toolkit: 1.46.1 katex: 0.16.47 khroma: 2.1.0