Skip to content

chore(deps): bump dompurify from 3.4.0 to 3.4.11#9298

Merged
rllyy97 merged 2 commits into
mainfrom
dependabot/npm_and_yarn/dompurify-3.4.11
Jul 7, 2026
Merged

chore(deps): bump dompurify from 3.4.0 to 3.4.11#9298
rllyy97 merged 2 commits into
mainfrom
dependabot/npm_and_yarn/dompurify-3.4.11

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Commit Type

  • chore - Maintenance/tooling
  • test - Test-related changes

Risk Level

  • Medium - Moderate changes, some user impact

What & Why

Bumps dompurify from 3.4.0 to 3.4.11 — an upstream security/maintenance release that clears the outstanding DOMPurify advisory and brings npm audit to zero.

The raw bump broke designer-ui CI because that project's vitest suite runs under happy-dom, and DOMPurify >= 3.4.11 is incompatible with happy-dom: DomPurify.sanitize() strips the outermost element (e.g. the wrapper <div> added by getDomFromHtmlEditorString). That makes firstElementChild return null, so isHtmlStringValueSafeForLexical throws Cannot read properties of null (reading 'querySelectorAll') (13 failing tests in util.spec.ts).

This was reproduced in isolation across happy-dom 15.x → 20.8.9 (all affected). jsdom and real browsers preserve the element structure for 3.4.11, so production is unaffected — only the happy-dom unit-test environment is. The fix runs that one DOM-sanitization test file under @vitest-environment jsdom (already a repo devDependency) to match production behavior. No source/production code changes.

Impact of Change

  • Users: None. Security-only dependency upgrade with no UI or runtime behavior change.
  • Developers: libs/designer-ui/src/lib/html/plugins/toolbar/helper/__test__/util.spec.ts now runs under @vitest-environment jsdom because DOMPurify 3.4.11 is incompatible with happy-dom for that path.
  • System: Lockfile/package-only dependency update; no architecture change.

Test Plan

  • Unit tests added/updated
  • E2E tests added/updated
  • Manual testing completed
  • Tested in: util.spec.ts passes 111/111 locally under jsdom with dompurify 3.4.11; happy-dom incompatibility reproduced across happy-dom 15.x–20.8.9.

Contributors

Dependency validation and test-environment fix assisted by GitHub Copilot.

Screenshots/Videos

N/A — dependency + test-environment change only.


Bumps dompurify from 3.4.0 to 3.4.11.

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

  • Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
  • Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
  • Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
  • Updated up the linting tool-chain and removed now-redundant lint directives
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible

DOMPurify 3.4.10

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

DOMPurify 3.4.9

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible

DOMPurify 3.4.5

  • Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

... (truncated)

Commits
Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 19, 2026
Copilot AI review requested due to automatic review settings June 19, 2026 07:39

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@github-actions

github-actions Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: chore(deps): bump dompurify from 3.4.0 to 3.4.11
  • Issue: None — the title is clear, specific, and matches the dependency update.
  • Recommendation: No change needed.

Commit Type

  • Properly selected (chore); the PR is primarily a dependency update.
  • Note: test is also checked, which is acceptable here because the diff includes a test file update.

⚠️ Risk Level

  • The submitted risk level is Medium, which is reasonable for a dependency/security update with a test-environment adjustment.
  • Advised risk level: medium
  • I do not recommend raising or lowering it based on the current diff.

What & Why

  • Current: Clear explanation of the dependency bump, the security motivation, and the happy-dom incompatibility workaround.
  • Issue: None. This section is detailed and useful.
  • Recommendation: No change needed.

Impact of Change

  • The impact is described clearly and matches the diff.
  • Recommendation:
    • Users: Good as written; no user-facing impact is expected.
    • Developers: Good as written; the jsdom test-environment note is accurate.
    • System: Good as written; lockfile/package-only update with no architecture change.

Test Plan

  • Unit tests were updated in the diff (util.spec.ts was changed to run under jsdom), which satisfies the test-plan requirement.
  • Manual testing is also documented, and the explanation for why the environment change was necessary is clear.
  • No E2E tests are required because unit tests are present.

Contributors

  • The section is present and acceptable.
  • Recommendation: Optional only — if desired, you can mention any human contributors explicitly, but this is not required.

Screenshots/Videos

  • N/A is appropriate for this dependency/test-environment change.
  • No screenshots or videos are needed.

Summary Table

Section Status Recommendation
Title No change needed
Commit Type No change needed
Risk Level No change needed
What & Why No change needed
Impact of Change No change needed
Test Plan No change needed
Contributors Optional: add human contributor names if applicable
Screenshots/Videos No change needed

This PR passes review for title/body compliance. The advised risk level matches the submitted risk level (medium).


Last updated: Tue, 07 Jul 2026 17:56:55 GMT

@github-actions

github-actions Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

📊 Coverage Check

No source files changed in this PR.

@rllyy97

rllyy97 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.4.0 to 3.4.11.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.0...3.4.11)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.4.11
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
…11 compat

DOMPurify >= 3.4.11 is incompatible with happy-dom: sanitize() strips the
outermost element, so getDomFromHtmlEditorString().firstElementChild is null
and isHtmlStringValueSafeForLexical throws on querySelectorAll. jsdom and real
browsers preserve the element structure, so this test file now runs under
jsdom to match production behavior and unblock the dompurify 3.4.0 -> 3.4.11 bump.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@rllyy97

rllyy97 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Pushed a follow-up commit (651bb39) to unblock this bump.

Why the dompurify 3.4.0 -> 3.4.11 bump broke CI: designer-ui's util.spec.ts runs under happy-dom, and DOMPurify >= 3.4.11 is incompatible with happy-dom's DOM implementation - DomPurify.sanitize() strips the outermost element (e.g. the wrapper <div> that getDomFromHtmlEditorString adds). That makes firstElementChild return null, so isHtmlStringValueSafeForLexical throws Cannot read properties of null (reading 'querySelectorAll') (13 failing tests).

I reproduced this in isolation across happy-dom 15.x -> 20.8.9 (all affected) and confirmed jsdom and real browsers preserve the element structure for 3.4.11 - i.e. production is unaffected; only the happy-dom unit-test environment is.

Fix: run this one DOM-sanitization test file under jsdom via a @vitest-environment jsdom docblock (jsdom is already a repo devDependency). Verified locally: util.spec.ts now passes 111/111. No production/source changes.

@rllyy97 rllyy97 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dompurify 3.4.11 clears the outstanding dompurify advisory. The happy-dom test incompatibility is fixed by running util.spec.ts under jsdom (verified 111/111 locally). Production behavior is unchanged. Approving.

@rllyy97 rllyy97 enabled auto-merge (squash) July 7, 2026 17:46
@rllyy97 rllyy97 merged commit 3ee5d11 into main Jul 7, 2026
39 of 41 checks passed
@rllyy97 rllyy97 deleted the dependabot/npm_and_yarn/dompurify-3.4.11 branch July 7, 2026 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code pr-validated

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants