Skip to content

Chore(deps): Bump dompurify from 3.4.6 to 3.4.10#8080

Open
dependabot[bot] wants to merge 1 commit into
stable34from
dependabot/npm_and_yarn/stable34/dompurify-3.4.8
Open

Chore(deps): Bump dompurify from 3.4.6 to 3.4.10#8080
dependabot[bot] wants to merge 1 commit into
stable34from
dependabot/npm_and_yarn/stable34/dompurify-3.4.8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps dompurify from 3.4.6 to 3.4.10.

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.10

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

DOMPurify 3.4.9

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly
Commits

@dependabot dependabot Bot mentioned this pull request Jun 20, 2026
Closed
@dependabot
Chore(deps): Bump dompurify from 3.4.6 to 3.4.10
f9358c0 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.4.6 to 3.4.10.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.6...3.4.10)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.4.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Chore(deps): Bump dompurify from 3.4.6 to 3.4.8 Chore(deps): Bump dompurify from 3.4.6 to 3.4.10 Jun 23, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/stable34/dompurify-3.4.8 branch from 175921b to f9358c0 Compare June 23, 2026 10:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

@luka-nextcloud luka-nextcloud Awaiting requested review from luka-nextcloud luka-nextcloud is a code owner

@grnd-alt grnd-alt Awaiting requested review from grnd-alt grnd-alt is a code owner

Assignees

No one assigned

Labels

3. to review dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants