dompurify@3.4.4 is vulnerable to XSS via the selectedcontent re-clone
path (GHSA-87xg-pxx2-7hvx). dompurify is transitive via mermaid; the
latest mermaid (11.15.0) declares dompurify@^3.3.1 — that range still
permits 3.4.4 so an upstream bump does not move us off the vulnerable
version. Add an override matching the existing pattern for axios /
tmp / esbuild / etc.
Resolved version after install: dompurify@3.4.7. Patch-range bump
on a sanitisation-only library — risk minimal.