[safe-html-react-parser] Replace isomorphic-dompurify with custom implementation supporting flexible DOM libraries

[yujeong-jeon]

Related Issue

#202

Summary

Replace isomorphic-dompurify dependency with a custom DOMPurify implementation that supports user-chosen DOM libraries (jsdom, happy-dom, or linkedom) for better flexibility and performance optimization.

Motivation

• isomorphic-dompurify has limited flexibility and no built-in memory management
• Memory leaks can occur with heavy JSDOM usage in server-side rendering

Changes

• New file: src/utils/dompurify.ts with OptimizedDOMPurify class
  • Implements LRU cache (default 100 entries) for performance
  • Periodic DOM instance recreation (default every 1000 calls) to prevent memory leaks
  • Configurable cache size and recreation interval
• Flexible DOM support: Users can choose between:
  • jsdom - most complete, heavier (for maximum compatibility)
  • happy-dom - fast, lighter, recommended for balanced performance
  • linkedom - fastest, minimal footprint (for performance-critical apps)
• Package dependencies:
  • Moved jsdom to optional peerDependencies
  • Added happy-dom and linkedom as optional peerDependencies
  • Kept dompurify and html-react-parser in main dependencies
• API improvements:
  • Client-side: Uses browser's native window (no configuration needed)
  • Server-side: Requires explicit configuration via configureDOMPurify() or per-call options
  • Added domPurifyOptions to SafeParseOptions for per-call configuration
  • Global configuration via configureDOMPurify() function
• Documentation: Updated README with configuration examples and performance comparison table

Migration Guide

For server-side rendering, install one of the DOM implementations:

# Recommended: happy-dom (best balance)
npm install happy-dom

# Or jsdom (maximum compatibility)
npm install jsdom

# Or linkedom (maximum performance)
npm install linkedom

Then configure at app initialization:

import { configureDOMPurify } from '@naverpay/safe-html-react-parser'
import { Window } from 'happy-dom'

configureDOMPurify({
  domWindowFactory: () => new Window()
})

Or use per-call options:

safeParse(html, {
  domPurifyOptions: {
    domWindowFactory: () => new Window()
  }
})

Performance Benefits

• Caching: Reduces redundant sanitization operations
• Memory management: Prevents memory leaks from long-running servers
• User choice: Select DOM implementation based on project requirements
• Smaller bundles: Only include the DOM library you actually use

[npayfebot]

✅ Changeset detected

Latest commit: 3a166d5

@naverpay/safe-html-react-parser package have detected changes.

If no version change is needed, please add skip-detect-change to the label.

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@naverpay/safe-html-react-parser	✨ Minor

_{powered by: naverpay changeset detect-add actions}

[npayfebot]

NPM Packages

📦 @naverpay/safe-html-react-parser

Total Sizes: 4.57 kB

Total Changes: +2.99 kB (+190%) 🔍 _{(Size Increased)}

File	Status	Previous Size	Updated Size	Changed
/dist/esm/index.mjs	🛠️	667 B	712 B	+45 B (+7%)
/dist/cjs/index.js	🛠️	909 B	947 B	+38 B (+4%)
/dist/esm/utils/lru-cache.mjs	➕	-	303 B	+303 B
/dist/esm/utils/dompurify.mjs	➕	-	1.09 kB	+1.09 kB
/dist/cjs/utils/lru-cache.js	➕	-	366 B	+366 B
/dist/cjs/utils/dompurify.js	➕	-	1.15 kB	+1.15 kB

🧩 Dependency Changes

Package	Status	Previous Version	Updated Version	Bundle Size (Max)	Changed
dompurify@^3.3.0	➕	-	^3.3.0	830 kB	830 kB
isomorphic-dompurify@^2.30.1	➖	^2.30.1	-	-5.71 kB	-5.71 kB

_{powered by: naverpay size-action}

[yujeong-jeon]

/canary-publish

[npayfebot]

No changed files exist under the . path, no packages have been deployed.

[yujeong-jeon]

?

[yceffort-naver]

?

I’m sorry, this is my fault. Please take a look at this: #204 😓

[yceffort-naver]

/canary-publish

[npayfebot]

Published Canary Packages

@naverpay/safe-html-react-parser@1.1.0-canary.251118-3eea5d1

[yceffort-naver]

[yujeong-jeon]

Oh, I saw this issue late. Thank you!!

[yujeong-jeon]

/canary-publish

[npayfebot]

Published Canary Packages

@naverpay/safe-html-react-parser@1.1.0-canary.251119-26c9e51

[yceffort-naver]

How about serializing the Node to use it as a key? It seems like if there are different objects with the same content, they would be referenced by different keys. If that’s what you intended, please disregard this message.

[yujeong-jeon]

Done in 76d76a3

[yceffort-naver]

You’re only planning to use it when the –expose-gc option is available, right?

[yujeong-jeon]

That's correct. The use of global.gc() is only intended for server-side environments where the --expose-gc option is available. This is mainly to support scenarios where the package is used on the server, especially since it's open source and may be integrated in various environments.

[yceffort-naver]

Using a singleton object, it seems you won’t be able to use different settings within a single application.

[yujeong-jeon]

That's correct. The current implementation uses a singleton, so only one global configuration is supported per process.

This design was chosen to minimize memory usage and complexity (as written in the description), especially for server-side scenarios. If there’s a need to support multiple configurations at the same time, I'm open to considering multi-instance support in the future.

[yceffort-naver]

GOGOGOGO

[yujeong-jeon]

Thanks for the great review! Merging 🚀