fix(deps): bump dompurify from 3.2.4 to 3.4.11#886
Conversation
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.2.4 to 3.4.11. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.2.4...3.4.11) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.4.11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
✅ Deploy Preview for phillips-seldon ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
davidicus
left a comment
There was a problem hiding this comment.
@dependabot squash and merge
|
Tip All tests passed and all changes approved!🟢 UI Tests: 464 tests unchanged |
|
🚀 Storybook preview is ready. • Preview: https://68b9f094608b90f3cfec5a06-xsgtbxhpzi.chromatic.com/ |
🏷️ Dependency Upgrade Risk Assessment:
|
| Version | Key Change |
|---|---|
| 3.4.5 | Fixed a sanitization bypass via the new <selectedcontent> HTML element (security) |
| 3.4.6 | Fixed DOM Clobbering issues in IN_PLACE mode; hardened cross-realm Shadow DOM sanitization |
| 3.4.7 | Hardened Shadow Root handling in IN_PLACE; fixed permanent hook pollution |
| 3.4.8 | Fixed Trusted Types policy handling; fixed node iterator for template scrubbing |
| 3.4.9 | Further IN_PLACE and Trusted Types improvements; added more test coverage |
| 3.4.10 | Internal refactor + performance improvements; no API changes |
| 3.4.11 | Fixed leaky config for hooks via setConfig |
No breaking API changes. Standard DOMPurify.sanitize(html, config) calls continue to work identically.
Risk Rationale
This is rated low because:
- seldon has no source code that imports or calls DOMPurify. There are zero code paths in any component, test, or utility file that invoke
DOMPurify.sanitize()or any other DOMPurify API. The dependency is effectively unused by the library itself. - No API-breaking changes across any of the 9 versions between 3.2.4 and 3.4.11.
- Downstream consumers are unaffected —
phillips-public-remixuses its own independent copy of DOMPurify viaisomorphic-dompurifyand will not pick up this version change.
Regression Test Checklist
Since seldon has no direct DOMPurify usage, testing focuses on confirming the dependency update doesn't break the package build or any consumer:
- Run the full seldon test suite:
npm test - Build the seldon package and verify clean output:
npm run build - Run Storybook to confirm all components render correctly (especially any that accept
dangerouslySetInnerHTMLor raw HTML props):npm run storybook - After publishing the updated seldon package, verify that
phillips-public-remixHTML rendering components (lot descriptions, CMS content inHTMLParser.tsx, iframe embeds) continue to render correctly - Run
npm auditpost-merge to confirm no newly introduced vulnerabilities
Generated by Claude Code
Bumps dompurify from 3.2.4 to 3.4.11.
Release notes
Sourced from dompurify's releases.
... (truncated)
Commits
0cae518release: 3.4.11 (#1494)6ee5716release: 3.4.10 (#1478)5210247release: 3.4.9 (#1459)bcdd828release: 3.4.8 (#1439)ca30f07release: 3.4.7 (#1414)bb7739erelease: 3.4.6 (#1394)011b0c7release: 3.4.5 (#1382)5817ad9release: 3.4.4 (#1374)520edb0release: 3.4.3 (#1352)6f67fd3Sync/3.4.2 (#1322)Install script changes
This version adds
preparescript that runs during installation. Review the package contents before updating.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.