chore(deps): bump dompurify override to >=3.4.5 (GHSA-87xg-pxx2-7hvx) #267
Reference in New Issue
Block a user
Delete Branch "chore/bump-dompurify-override-ghsa-87xg-pxx2-7hvx"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Add a
pnpm.overridesentry fordompurifyto cover GHSA-87xg-pxx2-7hvx — an XSS viaselectedcontentre-clone indompurify@3.4.4. Surfaced bypnpm ci:audit, same fix recipe as the priortmpadvisory (PR #240).Why this isn't an upstream upgrade
dompurifyis a transitive ofmermaid(which both the docs site VitePress plugin and the in-app diagrams use). The latestmermaid@11.15.0still declaresdompurify@^3.3.1— that range happily includes3.4.4, so amermaidbump (if one existed) does not move us off the vulnerable version. Pin via override, same pattern that already lives inpackage.jsonforaxios,tmp,esbuild, etc.What lands
package.jsonpnpm.overrides:"dompurify@<3.4.5": ">=3.4.5".pnpm-lock.yamldompurify@3.4.4→dompurify@3.4.7resolved (the current latest in the>=3.4.5window mermaid will accept). Net delta is minimal (+10 / -5 lines, single transitive bump).Risk
Patch range bump on a tiny utility lib with a stable API.
3.4.5,3.4.6,3.4.7are all sanitisation-only fixes per the changelog. Mermaid is the only consumer; it uses the documentedDOMPurify.sanitizesurface which has not changed.Test plan
pnpm audit --audit-level=moderate→No known vulnerabilities found(exit 0).pnpm why dompurifyshows a single resolveddompurify@3.4.7under bothmermaidandvitepress-plugin-mermaid(no duplicate).check+scan+auditjobs).pnpm docs:build) builds; a page with a mermaid diagram renders correctly.Related
chore(deps): bump tmp override to >=0.2.6) — the same pattern this PR mirrors.