chore(deps): bump dompurify override to >=3.4.5 (GHSA-87xg-pxx2-7hvx)
CI / commits (pull_request) Successful in 2m43s
CI / scan (pull_request) Successful in 3m4s
CI / check (pull_request) Successful in 5m6s
CI / a11y (pull_request) Successful in 2m8s
Docs site / build (pull_request) Successful in 2m24s
CI / perf (pull_request) Successful in 5m11s
CI / commits (pull_request) Successful in 2m43s
CI / scan (pull_request) Successful in 3m4s
CI / check (pull_request) Successful in 5m6s
CI / a11y (pull_request) Successful in 2m8s
Docs site / build (pull_request) Successful in 2m24s
CI / perf (pull_request) Successful in 5m11s
dompurify@3.4.4 is vulnerable to XSS via the selectedcontent re-clone path (GHSA-87xg-pxx2-7hvx). dompurify is transitive via mermaid; the latest mermaid (11.15.0) declares dompurify@^3.3.1 — that range still permits 3.4.4 so an upstream bump does not move us off the vulnerable version. Add an override matching the existing pattern for axios / tmp / esbuild / etc. Resolved version after install: dompurify@3.4.7. Patch-range bump on a sanitisation-only library — risk minimal.
This commit is contained in:
Generated
+5
-5
@@ -8,6 +8,7 @@ overrides:
|
||||
axios@<1.15.2: '>=1.15.2'
|
||||
'@angular-devkit/core>ajv@<8.18.0': '>=8.18.0'
|
||||
brace-expansion@<5.0.6: '>=5.0.6'
|
||||
dompurify@<3.4.5: '>=3.4.5'
|
||||
esbuild@<0.25.0: '>=0.25.0'
|
||||
follow-redirects@<1.16.0: '>=1.16.0'
|
||||
ip-address@<10.1.1: '>=10.1.1'
|
||||
@@ -6924,9 +6925,8 @@ packages:
|
||||
resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==}
|
||||
engines: {node: '>= 4'}
|
||||
|
||||
dompurify@3.4.4:
|
||||
resolution: {integrity: sha512-r8K7KGKEcztXfA/nfabSYB2hg9tDphORJTdf8xprN/luSLGmNhOBN8dm1/SYjqLLet6YUFEXOcrdTuwryp/Bew==}
|
||||
deprecated: Fixed a security issue introduced in 3.4.4
|
||||
dompurify@3.4.7:
|
||||
resolution: {integrity: sha512-2jBxDJY4RR06tQNy4w5FlFH7kfxsQZlufd0sbv+chfHCxeJwrFw2baUDsSwvBISD4K4RDbd0PTfy3uNXsR6siA==}
|
||||
|
||||
domutils@3.2.2:
|
||||
resolution: {integrity: sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==}
|
||||
@@ -19344,7 +19344,7 @@ snapshots:
|
||||
dependencies:
|
||||
domelementtype: 2.3.0
|
||||
|
||||
dompurify@3.4.4:
|
||||
dompurify@3.4.7:
|
||||
optionalDependencies:
|
||||
'@types/trusted-types': 2.0.7
|
||||
|
||||
@@ -21553,7 +21553,7 @@ snapshots:
|
||||
d3-sankey: 0.12.3
|
||||
dagre-d3-es: 7.0.14
|
||||
dayjs: 1.11.21
|
||||
dompurify: 3.4.4
|
||||
dompurify: 3.4.7
|
||||
es-toolkit: 1.46.1
|
||||
katex: 0.16.47
|
||||
khroma: 2.1.0
|
||||
|
||||
Reference in New Issue
Block a user