Skip to content

chore(deps): [release-1.9] bump dompurify using surgeon#3638

Open
alizard0 wants to merge 2 commits into
orchestrator/release-1.9from
RHIDP-13315-2
Open

chore(deps): [release-1.9] bump dompurify using surgeon#3638
alizard0 wants to merge 2 commits into
orchestrator/release-1.9from
RHIDP-13315-2

Conversation

@alizard0

Copy link
Copy Markdown
Member

It fixes CVE-2026-41240 by patching dompurify to 2.4.0 or higher.
https://redhat.atlassian.net/browse/RHIDP-13315

Running yarn install in /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/orchestrator ...
CVE-2026-41240 dompurify
  patch: 3.4.0
  affected: < 3.4.0
@internal/orchestrator@1.0.0 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/orchestrator
└─┬ app@0.0.3 -> ./packages/app
  ├─┬ @backstage/plugin-api-docs@0.13.1
  │ ├─┬ @asyncapi/react-component@2.5.1
  │ │ └─┬ isomorphic-dompurify@2.21.0
  │ │   └── dompurify@3.3.0 deduped
  │ └─┬ swagger-ui-react@5.30.0
  │   └── dompurify@3.2.6
  └─┬ @backstage/plugin-techdocs@1.16.0
    └── dompurify@3.3.0
Upgrading dependency with yarn-lockfile-surgeon → dompurify@3.4.0 ...
@internal/orchestrator@1.0.0 /Users/alizardo/Documents/engineering/github/rhdh-plugins/workspaces/orchestrator
└─┬ app@0.0.3 -> ./packages/app
  ├─┬ @backstage/plugin-api-docs@0.13.1
  │ ├─┬ @asyncapi/react-component@2.5.1
  │ │ └─┬ isomorphic-dompurify@2.21.0
  │ │   └── dompurify@3.4.0 deduped
  │ └─┬ swagger-ui-react@5.30.0
  │   └── dompurify@3.2.6
  └─┬ @backstage/plugin-techdocs@1.16.0
    └── dompurify@3.4.0

@alizard0 alizard0 changed the title chore(deps): bump dompurify using surgeon chore(deps): [release-1.9] bump dompurify using surgeon Jul 1, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jul 3, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant