chore(deps): bump dompurify override to >=3.4.5 (GHSA-87xg-pxx2-7hvx) #267

Merged
julien merged 1 commits from chore/bump-dompurify-override-ghsa-87xg-pxx2-7hvx into main 2026-06-02 12:22:04 +02:00
Owner

Summary

Add a pnpm.overrides entry for dompurify to cover GHSA-87xg-pxx2-7hvx — an XSS via selectedcontent re-clone in dompurify@3.4.4. Surfaced by pnpm ci:audit, same fix recipe as the prior tmp advisory (PR #240).

Why this isn't an upstream upgrade

dompurify is a transitive of mermaid (which both the docs site VitePress plugin and the in-app diagrams use). The latest mermaid@11.15.0 still declares dompurify@^3.3.1 — that range happily includes 3.4.4, so a mermaid bump (if one existed) does not move us off the vulnerable version. Pin via override, same pattern that already lives in package.json for axios, tmp, esbuild, etc.

What lands

File Change
package.json One line added to pnpm.overrides: "dompurify@<3.4.5": ">=3.4.5".
pnpm-lock.yaml dompurify@3.4.4dompurify@3.4.7 resolved (the current latest in the >=3.4.5 window mermaid will accept). Net delta is minimal (+10 / -5 lines, single transitive bump).

Risk

Patch range bump on a tiny utility lib with a stable API. 3.4.5, 3.4.6, 3.4.7 are all sanitisation-only fixes per the changelog. Mermaid is the only consumer; it uses the documented DOMPurify.sanitize surface which has not changed.

Test plan

  • pnpm audit --audit-level=moderateNo known vulnerabilities found (exit 0).
  • pnpm why dompurify shows a single resolved dompurify@3.4.7 under both mermaid and vitepress-plugin-mermaid (no duplicate).
  • CI green on Gitea (check + scan + audit jobs).
  • Docs site (pnpm docs:build) builds; a page with a mermaid diagram renders correctly.
  • Charts lib and any in-app mermaid surface render unchanged.

Related

  • GHSA-87xg-pxx2-7hvx — the advisory.
  • PR #240 (chore(deps): bump tmp override to >=0.2.6) — the same pattern this PR mirrors.
  • ADR-0022 — VitePress + mermaid pipeline, the consumer.
  • ADR-0023 — in-app charts, also goes through the same mermaid wrapper in places.
## Summary Add a `pnpm.overrides` entry for `dompurify` to cover [GHSA-87xg-pxx2-7hvx](https://github.com/advisories/GHSA-87xg-pxx2-7hvx) — an XSS via `selectedcontent` re-clone in `dompurify@3.4.4`. Surfaced by `pnpm ci:audit`, same fix recipe as the prior `tmp` advisory (PR #240). ## Why this isn't an upstream upgrade `dompurify` is a transitive of `mermaid` (which both the docs site VitePress plugin and the in-app diagrams use). The latest `mermaid@11.15.0` still declares `dompurify@^3.3.1` — that range happily includes `3.4.4`, so a `mermaid` bump (if one existed) does not move us off the vulnerable version. Pin via override, same pattern that already lives in `package.json` for `axios`, `tmp`, `esbuild`, etc. ## What lands | File | Change | | --- | --- | | `package.json` | One line added to `pnpm.overrides`: `"dompurify@<3.4.5": ">=3.4.5"`. | | `pnpm-lock.yaml` | `dompurify@3.4.4` → `dompurify@3.4.7` resolved (the current latest in the `>=3.4.5` window mermaid will accept). Net delta is minimal (+10 / -5 lines, single transitive bump). | ## Risk Patch range bump on a tiny utility lib with a stable API. `3.4.5`, `3.4.6`, `3.4.7` are all sanitisation-only fixes per the changelog. Mermaid is the only consumer; it uses the documented `DOMPurify.sanitize` surface which has not changed. ## Test plan - [x] `pnpm audit --audit-level=moderate` → `No known vulnerabilities found` (exit 0). - [x] `pnpm why dompurify` shows a single resolved `dompurify@3.4.7` under both `mermaid` and `vitepress-plugin-mermaid` (no duplicate). - [ ] CI green on Gitea (`check` + `scan` + `audit` jobs). - [ ] Docs site (`pnpm docs:build`) builds; a page with a mermaid diagram renders correctly. - [ ] Charts lib and any in-app mermaid surface render unchanged. ## Related - [GHSA-87xg-pxx2-7hvx](https://github.com/advisories/GHSA-87xg-pxx2-7hvx) — the advisory. - PR #240 (`chore(deps): bump tmp override to >=0.2.6`) — the same pattern this PR mirrors. - [ADR-0022](docs/decisions/0022-docs-site-vitepress.md) — VitePress + mermaid pipeline, the consumer. - [ADR-0023](docs/decisions/0023-charts-d3-observable-plot.md) — in-app charts, also goes through the same mermaid wrapper in places.
julien added 1 commit 2026-06-02 12:21:49 +02:00
chore(deps): bump dompurify override to >=3.4.5 (GHSA-87xg-pxx2-7hvx)
CI / commits (pull_request) Successful in 2m43s
CI / scan (pull_request) Successful in 3m4s
CI / check (pull_request) Successful in 5m6s
CI / a11y (pull_request) Successful in 2m8s
Docs site / build (pull_request) Successful in 2m24s
CI / perf (pull_request) Successful in 5m11s
a62093155e
dompurify@3.4.4 is vulnerable to XSS via the selectedcontent re-clone
path (GHSA-87xg-pxx2-7hvx). dompurify is transitive via mermaid; the
latest mermaid (11.15.0) declares dompurify@^3.3.1 — that range still
permits 3.4.4 so an upstream bump does not move us off the vulnerable
version. Add an override matching the existing pattern for axios /
tmp / esbuild / etc.

Resolved version after install: dompurify@3.4.7. Patch-range bump
on a sanitisation-only library — risk minimal.
julien merged commit c97f250836 into main 2026-06-02 12:22:04 +02:00
julien deleted branch chore/bump-dompurify-override-ghsa-87xg-pxx2-7hvx 2026-06-02 12:22:08 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#267