chore(deps): bump dompurify override to >=3.4.5 (GHSA-87xg-pxx2-7hvx) (#267)
## Summary Add a `pnpm.overrides` entry for `dompurify` to cover [GHSA-87xg-pxx2-7hvx](https://github.com/advisories/GHSA-87xg-pxx2-7hvx) — an XSS via `selectedcontent` re-clone in `dompurify@3.4.4`. Surfaced by `pnpm ci:audit`, same fix recipe as the prior `tmp` advisory (PR #240). ## Why this isn't an upstream upgrade `dompurify` is a transitive of `mermaid` (which both the docs site VitePress plugin and the in-app diagrams use). The latest `mermaid@11.15.0` still declares `dompurify@^3.3.1` — that range happily includes `3.4.4`, so a `mermaid` bump (if one existed) does not move us off the vulnerable version. Pin via override, same pattern that already lives in `package.json` for `axios`, `tmp`, `esbuild`, etc. ## What lands | File | Change | | --- | --- | | `package.json` | One line added to `pnpm.overrides`: `"dompurify@<3.4.5": ">=3.4.5"`. | | `pnpm-lock.yaml` | `dompurify@3.4.4` → `dompurify@3.4.7` resolved (the current latest in the `>=3.4.5` window mermaid will accept). Net delta is minimal (+10 / -5 lines, single transitive bump). | ## Risk Patch range bump on a tiny utility lib with a stable API. `3.4.5`, `3.4.6`, `3.4.7` are all sanitisation-only fixes per the changelog. Mermaid is the only consumer; it uses the documented `DOMPurify.sanitize` surface which has not changed. ## Test plan - [x] `pnpm audit --audit-level=moderate` → `No known vulnerabilities found` (exit 0). - [x] `pnpm why dompurify` shows a single resolved `dompurify@3.4.7` under both `mermaid` and `vitepress-plugin-mermaid` (no duplicate). - [ ] CI green on Gitea (`check` + `scan` + `audit` jobs). - [ ] Docs site (`pnpm docs:build`) builds; a page with a mermaid diagram renders correctly. - [ ] Charts lib and any in-app mermaid surface render unchanged. ## Related - [GHSA-87xg-pxx2-7hvx](https://github.com/advisories/GHSA-87xg-pxx2-7hvx) — the advisory. - PR #240 (`chore(deps): bump tmp override to >=0.2.6`) — the same pattern this PR mirrors. - [ADR-0022](docs/decisions/0022-docs-site-vitepress.md) — VitePress + mermaid pipeline, the consumer. - [ADR-0023](docs/decisions/0023-charts-d3-observable-plot.md) — in-app charts, also goes through the same mermaid wrapper in places. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #267
This commit was merged in pull request #267.
This commit is contained in:
@@ -45,6 +45,7 @@
|
|||||||
"axios@<1.15.2": ">=1.15.2",
|
"axios@<1.15.2": ">=1.15.2",
|
||||||
"@angular-devkit/core>ajv@<8.18.0": ">=8.18.0",
|
"@angular-devkit/core>ajv@<8.18.0": ">=8.18.0",
|
||||||
"brace-expansion@<5.0.6": ">=5.0.6",
|
"brace-expansion@<5.0.6": ">=5.0.6",
|
||||||
|
"dompurify@<3.4.5": ">=3.4.5",
|
||||||
"esbuild@<0.25.0": ">=0.25.0",
|
"esbuild@<0.25.0": ">=0.25.0",
|
||||||
"follow-redirects@<1.16.0": ">=1.16.0",
|
"follow-redirects@<1.16.0": ">=1.16.0",
|
||||||
"ip-address@<10.1.1": ">=10.1.1",
|
"ip-address@<10.1.1": ">=10.1.1",
|
||||||
|
|||||||
Generated
+5
-5
@@ -8,6 +8,7 @@ overrides:
|
|||||||
axios@<1.15.2: '>=1.15.2'
|
axios@<1.15.2: '>=1.15.2'
|
||||||
'@angular-devkit/core>ajv@<8.18.0': '>=8.18.0'
|
'@angular-devkit/core>ajv@<8.18.0': '>=8.18.0'
|
||||||
brace-expansion@<5.0.6: '>=5.0.6'
|
brace-expansion@<5.0.6: '>=5.0.6'
|
||||||
|
dompurify@<3.4.5: '>=3.4.5'
|
||||||
esbuild@<0.25.0: '>=0.25.0'
|
esbuild@<0.25.0: '>=0.25.0'
|
||||||
follow-redirects@<1.16.0: '>=1.16.0'
|
follow-redirects@<1.16.0: '>=1.16.0'
|
||||||
ip-address@<10.1.1: '>=10.1.1'
|
ip-address@<10.1.1: '>=10.1.1'
|
||||||
@@ -6924,9 +6925,8 @@ packages:
|
|||||||
resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==}
|
resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==}
|
||||||
engines: {node: '>= 4'}
|
engines: {node: '>= 4'}
|
||||||
|
|
||||||
dompurify@3.4.4:
|
dompurify@3.4.7:
|
||||||
resolution: {integrity: sha512-r8K7KGKEcztXfA/nfabSYB2hg9tDphORJTdf8xprN/luSLGmNhOBN8dm1/SYjqLLet6YUFEXOcrdTuwryp/Bew==}
|
resolution: {integrity: sha512-2jBxDJY4RR06tQNy4w5FlFH7kfxsQZlufd0sbv+chfHCxeJwrFw2baUDsSwvBISD4K4RDbd0PTfy3uNXsR6siA==}
|
||||||
deprecated: Fixed a security issue introduced in 3.4.4
|
|
||||||
|
|
||||||
domutils@3.2.2:
|
domutils@3.2.2:
|
||||||
resolution: {integrity: sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==}
|
resolution: {integrity: sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==}
|
||||||
@@ -19344,7 +19344,7 @@ snapshots:
|
|||||||
dependencies:
|
dependencies:
|
||||||
domelementtype: 2.3.0
|
domelementtype: 2.3.0
|
||||||
|
|
||||||
dompurify@3.4.4:
|
dompurify@3.4.7:
|
||||||
optionalDependencies:
|
optionalDependencies:
|
||||||
'@types/trusted-types': 2.0.7
|
'@types/trusted-types': 2.0.7
|
||||||
|
|
||||||
@@ -21553,7 +21553,7 @@ snapshots:
|
|||||||
d3-sankey: 0.12.3
|
d3-sankey: 0.12.3
|
||||||
dagre-d3-es: 7.0.14
|
dagre-d3-es: 7.0.14
|
||||||
dayjs: 1.11.21
|
dayjs: 1.11.21
|
||||||
dompurify: 3.4.4
|
dompurify: 3.4.7
|
||||||
es-toolkit: 1.46.1
|
es-toolkit: 1.46.1
|
||||||
katex: 0.16.47
|
katex: 0.16.47
|
||||||
khroma: 2.1.0
|
khroma: 2.1.0
|
||||||
|
|||||||
Reference in New Issue
Block a user