deps(deps): bump isomorphic-dompurify from 2.36.0 to 3.0.0

[dependabot]

Bumps isomorphic-dompurify from 2.36.0 to 3.0.0.

Release notes

Sourced from isomorphic-dompurify's releases.

3.0.0: ESM Support + Memory Leak Fix for Long-Running Server Processes

isomorphic-dompurify v3.0.0

ESM Support

The library now ships proper ESM alongside CommonJS. Both import and require work out of the box with correct module resolution.

// ESM — now works natively
import DOMPurify, { sanitize } from "isomorphic-dompurify";
// CJS — still works
const DOMPurify = require("isomorphic-dompurify");

Memory Leak Fix for Long-Running Server Processes

New clearWindow() export that closes the internal jsdom window and creates a fresh one, preventing unbounded memory growth and progressive slowdown in long-running Node.js processes (#368).

import { sanitize, clearWindow } from "isomorphic-dompurify";
// Call clearWindow() when you want to release accumulated DOM state,
// e.g. periodically, after a batch, or per-request in a server:
app.use((req, res, next) => {
res.on("finish", () => clearWindow());
next();
});

Note: clearWindow() is a no-op in the browser build (no jsdom to manage). Any hooks or config set via addHook/setConfig will need to be re-applied after calling it.

Breaking Changes

• Named exports are now available. sanitize, addHook, removeHook, removeHooks, removeAllHooks, setConfig, clearConfig, isValidAttribute, isSupported, version, and removed are all exported directly.
• global.DOMPurify singleton removed. The library no longer writes to global.DOMPurify. Module caching provides singleton behavior in both ESM and CJS. This also fixes a security concern where malicious code could preempt the global before the module loaded (#324).
• Build output moved to dist/. Entry points are now dist/index.js (CJS), dist/index.mjs (ESM), dist/browser.js (CJS), dist/browser.mjs (ESM). The exports map handles this automatically — no changes needed for consumers using standard imports.
• Type definitions are auto-generated. The hand-written index.d.ts using export = DOMPurify is replaced by generated .d.ts and .d.mts files with proper export default and named exports.
• Node.js version constraint tightened. Now requires ^20.19.0 || ^22.12.0 || >=24.0.0 to match jsdom 28's requirements. Node 21.x, 23.x, and 22.0–22.11 are no longer supported.

Issues Fixed

• #368 — Memory leak and progressive slowdown in long-running Node.js processes
• #163 — ESM support
• #324 — Security concern with global.DOMPurify
• #353 — lru-cache ESM resolution errors in Nuxt/Nitro builds
• #350 — Build error with Astro + Cloudflare adapter
• #203 — Build error in Angular Universal

Issues Mitigated

... (truncated)

Commits

• 5b92fc4 chore: bump version to 3.0.0
• 2e6e322 chore: Updated biome config.
• 295e3a7 chore(deps-dev): bump @​biomejs/biome from 2.4.2 to 2.4.4
• 9f0e6b5 chore: bump version to 3.0.0-rc.3
• fa6b673 chore(deps): bump jsdom from 28.0.0 to 28.1.0
• f527ba7 chore: add Biome linting, lefthook pre-commit hooks, and CI lint step
• bca3171 docs: Added Playgrounds section to the readme.
• 112fd3c Merge pull request #389 from kkomelin/memory-leak
• f34f7b3 chore: untrack RELEASE_NOTES_3.0.0.md
• 4be627b fix: make removed named export delegate to current instance
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	isomorphic-dompurify@​2.36.0 ⏵ 3.0.0	+1		+23

View full report