Skip to content

fix(deps): update dependency isomorphic-dompurify to v3#9139

Merged
BacLuc merged 1 commit intodevelfrom
renovate/isomorphic-dompurify-3.x
Mar 21, 2026
Merged

fix(deps): update dependency isomorphic-dompurify to v3#9139
BacLuc merged 1 commit intodevelfrom
renovate/isomorphic-dompurify-3.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Feb 28, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
isomorphic-dompurify 2.36.03.3.0 age confidence

Release Notes

kkomelin/isomorphic-dompurify (isomorphic-dompurify)

v3.3.0: : Updated dependencies

Compare Source

What's Changed

Full Changelog: kkomelin/isomorphic-dompurify@3.2.0...3.3.0

v3.2.0: : Updated dependencies

Compare Source

What's Changed

  • chore(deps): bump dompurify from 3.3.2 to 3.3.3

Full Changelog: kkomelin/isomorphic-dompurify@3.1.0...3.2.0

v3.1.0: : Updated dependencies

Compare Source

What's Changed

Full Changelog: kkomelin/isomorphic-dompurify@3.0.0...3.1.0

v3.0.0: : ESM Support + Memory Leak Fix for Long-Running Server Processes

Compare Source

isomorphic-dompurify v3.0.0

ESM Support

The library now ships proper ESM alongside CommonJS. Both import and require work out of the box with correct module resolution.

// ESM — now works natively
import DOMPurify, { sanitize } from "isomorphic-dompurify";

// CJS — still works
const DOMPurify = require("isomorphic-dompurify");

Memory Leak Fix for Long-Running Server Processes

New clearWindow() export that closes the internal jsdom window and creates a fresh one, preventing unbounded memory growth and progressive slowdown in long-running Node.js processes (#​368).

import { sanitize, clearWindow } from "isomorphic-dompurify";

// Call clearWindow() when you want to release accumulated DOM state,
// e.g. periodically, after a batch, or per-request in a server:
app.use((req, res, next) => {
  res.on("finish", () => clearWindow());
  next();
});

Note: clearWindow() is a no-op in the browser build (no jsdom to manage). Any hooks or config set via addHook/setConfig will need to be re-applied after calling it.

Breaking Changes

  • Named exports are now available. sanitize, addHook, removeHook, removeHooks, removeAllHooks, setConfig, clearConfig, isValidAttribute, isSupported, version, and removed are all exported directly.
  • global.DOMPurify singleton removed. The library no longer writes to global.DOMPurify. Module caching provides singleton behavior in both ESM and CJS. This also fixes a security concern where malicious code could preempt the global before the module loaded (#​324).
  • Build output moved to dist/. Entry points are now dist/index.js (CJS), dist/index.mjs (ESM), dist/browser.js (CJS), dist/browser.mjs (ESM). The exports map handles this automatically — no changes needed for consumers using standard imports.
  • Type definitions are auto-generated. The hand-written index.d.ts using export = DOMPurify is replaced by generated .d.ts and .d.mts files with proper export default and named exports.
  • Node.js version constraint tightened. Now requires ^20.19.0 || ^22.12.0 || >=24.0.0 to match jsdom 28's requirements. Node 21.x, 23.x, and 22.0–22.11 are no longer supported.

Issues Fixed

  • #​368 — Memory leak and progressive slowdown in long-running Node.js processes
  • #​163 — ESM support
  • #​324 — Security concern with global.DOMPurify
  • #​353lru-cache ESM resolution errors in Nuxt/Nitro builds
  • #​350 — Build error with Astro + Cloudflare adapter
  • #​203 — Build error in Angular Universal

Issues Mitigated

  • #​330, #​349createWindow TypeError in Next.js 15 (jsdom is now external, reducing bundler conflicts)
  • #​356webidl-conversions error in Node.js 22 + Next.js
  • #​54canvas resolution error in serverless environments

Internal Changes

  • Source rewritten in TypeScript
  • Build toolchain switched from terser to tsup (dual CJS/ESM output via esbuild)
  • Linting added via Biome with lefthook pre-commit hooks and CI enforcement
  • CI updated to actions/checkout@v4, actions/setup-node@v4, pnpm/action-setup@v4
  • Tests converted to TypeScript with expanded coverage of the wrapper API
  • jsdom updated to 28.1.0
  • Validated against Astro, Next.js, Nuxt, React, and SvelteKit via isomorphic-dompurify-playgrounds

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Feb 28, 2026
@renovate renovate bot force-pushed the renovate/isomorphic-dompurify-3.x branch from 32e5f2a to 5fc4f79 Compare March 5, 2026 18:36
@renovate renovate bot force-pushed the renovate/isomorphic-dompurify-3.x branch 2 times, most recently from 288eb3f to d79a025 Compare March 16, 2026 18:07
@renovate renovate bot force-pushed the renovate/isomorphic-dompurify-3.x branch from d79a025 to 00a4f5d Compare March 19, 2026 13:45
@BacLuc BacLuc added this pull request to the merge queue Mar 21, 2026
Merged via the queue into devel with commit c37ca5a Mar 21, 2026
57 checks passed
@BacLuc BacLuc deleted the renovate/isomorphic-dompurify-3.x branch March 21, 2026 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BacLuc BacLuc BacLuc approved these changes

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BacLuc