chore(deps): bump dompurify override to >=3.4.5 (GHSA-87xg-pxx2-7hvx)
CI / commits (pull_request) Successful in 2m43s
CI / scan (pull_request) Successful in 3m4s
CI / check (pull_request) Successful in 5m6s
CI / a11y (pull_request) Successful in 2m8s
Docs site / build (pull_request) Successful in 2m24s
CI / perf (pull_request) Successful in 5m11s
CI / commits (pull_request) Successful in 2m43s
CI / scan (pull_request) Successful in 3m4s
CI / check (pull_request) Successful in 5m6s
CI / a11y (pull_request) Successful in 2m8s
Docs site / build (pull_request) Successful in 2m24s
CI / perf (pull_request) Successful in 5m11s
dompurify@3.4.4 is vulnerable to XSS via the selectedcontent re-clone path (GHSA-87xg-pxx2-7hvx). dompurify is transitive via mermaid; the latest mermaid (11.15.0) declares dompurify@^3.3.1 — that range still permits 3.4.4 so an upstream bump does not move us off the vulnerable version. Add an override matching the existing pattern for axios / tmp / esbuild / etc. Resolved version after install: dompurify@3.4.7. Patch-range bump on a sanitisation-only library — risk minimal.
This commit is contained in:
@@ -45,6 +45,7 @@
|
||||
"axios@<1.15.2": ">=1.15.2",
|
||||
"@angular-devkit/core>ajv@<8.18.0": ">=8.18.0",
|
||||
"brace-expansion@<5.0.6": ">=5.0.6",
|
||||
"dompurify@<3.4.5": ">=3.4.5",
|
||||
"esbuild@<0.25.0": ">=0.25.0",
|
||||
"follow-redirects@<1.16.0": ">=1.16.0",
|
||||
"ip-address@<10.1.1": ">=10.1.1",
|
||||
|
||||
Reference in New Issue
Block a user