Skip to content

chore(deps): update dependency dompurify@<3.2.4 to >=3.3.2 [security]#3050

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-dompurify-3.2.4-vulnerability
Mar 24, 2026
Merged

chore(deps): update dependency dompurify@<3.2.4 to >=3.3.2 [security]#3050
renovate[bot] merged 1 commit intomainfrom
renovate/npm-dompurify-3.2.4-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 24, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
dompurify@<3.2.4 >=3.2.4>=3.3.2 age confidence

GitHub Vulnerability Alerts

CVE-2026-0540

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

DOMPurify contains a Cross-site Scripting vulnerability

CVE-2025-15599 / GHSA-v8jm-5vwx-cfxm

More information

Details

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

DOMPurify contains a Cross-site Scripting vulnerability

CVE-2026-0540 / GHSA-v2wj-7wpq-c8vv

More information

Details

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

cure53/DOMPurify (dompurify@<3.2.4)

v3.3.2: DOMPurify 3.3.2

Compare Source

  • Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
  • Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
  • Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
  • Bumped and removed several dependencies, thanks @​Rotzbua
  • Fixed the test suite after bumping dependencies, thanks @​Rotzbua

v3.3.1: DOMPurify 3.3.1

Compare Source

  • Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
  • Updated the ESM import syntax to be more correct, thanks @​binhpv

v3.3.0: DOMPurify 3.3.0

Compare Source

  • Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
  • Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
  • Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

v3.2.7: DOMPurify 3.2.7

Compare Source

  • Added new attributes and elements to default allow-list, thanks @​elrion018
  • Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
  • Added better check for animated href attributes, thanks @​llamakko
  • Updated and improved the bundled types, thanks @​ssi02014
  • Updated several tests to better align with new browser encoding behaviors
  • Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
  • Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

v3.2.6: DOMPurify 3.2.6

Compare Source

v3.2.5: DOMPurify 3.2.5

Compare Source

  • Added a check to the mXSS detection regex to be more strict, thanks @​masatokinugawa
  • Added ESM type imports in source, removes patch function, thanks @​donmccurdy
  • Added script to verify various TypeScript configurations, thanks @​reduckted
  • Added more modern browsers to the Karma launchers list
  • Added Node 23.x to tested runtimes, removed Node 17.x
  • Fixed the generation of source maps, thanks @​reduckted
  • Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @​hhk-png
  • Fixed a few typos in the README file

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - Monday through Friday ( * * * * 1-5 ) in timezone America/New_York.

🚦 Automerge: Disabled because a matching PR was automerged previously.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested review from a team and kongponents-bot as code owners March 24, 2026 18:00
@renovate renovate bot enabled auto-merge (squash) March 24, 2026 18:00
DariaYeremina
DariaYeremina previously approved these changes Mar 24, 2026
View reviewed changes
@renovate renovate bot changed the title chore(deps): update dependency dompurify@&lt;3.2.4 to >=3.2.7 [security] chore(deps): update dependency dompurify@&lt;3.2.4 to >=3.3.2 [security] Mar 24, 2026
@renovate renovate bot force-pushed the renovate/npm-dompurify-3.2.4-vulnerability branch from 5e52d95 to 9b494a7 Compare March 24, 2026 18:04
@renovate renovate bot changed the title chore(deps): update dependency dompurify@&lt;3.2.4 to >=3.3.2 [security] chore(deps): update dependency dompurify@&lt;3.2.4 to >=3.2.7 [security] Mar 24, 2026
@renovate renovate bot force-pushed the renovate/npm-dompurify-3.2.4-vulnerability branch from 9b494a7 to d782b5e Compare March 24, 2026 18:22
@renovate
chore(deps): update dependency dompurify@&lt;3.2.4 to >=3.3.2 [security]
af676f7 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot changed the title chore(deps): update dependency dompurify@&lt;3.2.4 to >=3.2.7 [security] chore(deps): update dependency dompurify@&lt;3.2.4 to >=3.3.2 [security] Mar 24, 2026
@renovate renovate bot force-pushed the renovate/npm-dompurify-3.2.4-vulnerability branch from d782b5e to af676f7 Compare March 24, 2026 18:26
@renovate renovate bot merged commit 3c983f0 into main Mar 24, 2026
42 checks passed
@renovate renovate bot deleted the renovate/npm-dompurify-3.2.4-vulnerability branch March 24, 2026 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DariaYeremina DariaYeremina DariaYeremina approved these changes

@kongponents-bot kongponents-bot Awaiting requested review from kongponents-bot kongponents-bot is a code owner

Assignees

No one assigned

Labels

dependencies renovate-bot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DariaYeremina