Skip to content

chore(deps): bump dompurify 3.2.4→3.3.1 and @types/dompurify 3.0.5→3.2.0#8883

Merged
ccastrotrejo merged 2 commits intomainfrom
dependabot/npm_and_yarn/multi-9171c78bff
Mar 5, 2026
Merged

chore(deps): bump dompurify 3.2.4→3.3.1 and @types/dompurify 3.0.5→3.2.0#8883
ccastrotrejo merged 2 commits intomainfrom
dependabot/npm_and_yarn/multi-9171c78bff

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 4, 2026
edited by ccastrotrejo
Loading

Commit Type

  • feature - New functionality
  • fix - Bug fix
  • refactor - Code restructuring without behavior change
  • perf - Performance improvement
  • docs - Documentation update
  • test - Test-related changes
  • chore - Maintenance/tooling

Risk Level

  • Low - Minor changes, limited scope
  • Medium - Moderate changes, some user impact
  • High - Major changes, significant user/system impact

What & Why

Bumps dompurify from 3.2.4 to 3.3.1 and @types/dompurify from 3.0.5 to 3.2.0. These dependencies needed to be updated together.

Key changes in dompurify 3.2.5–3.3.1:

  • Security: Stricter mXSS detection regex, improved handling of risky content inside CDATA elements, better regex for raw-text elements (textareas), better config hardening against prototype pollution, better check for animated href attributes
  • Features: ADD_FORBID_CONTENTS setting to extend default list, ADD_ATTR/ADD_TAGS accept functions, SVG mask-type attribute added to default allow-list, matrix: added as allowed URI scheme
  • Fixes: slot element in both SVG and HTML allow-list, ALLOWED_URI_REGEXP with g flag, ESM import syntax corrections
  • Types: @types/dompurify@3.2.0 is now a stub — dompurify provides its own type definitions

Impact of Change

  • Users: No user-facing changes. DOMPurify is used internally for HTML sanitization.
  • Developers: @types/dompurify is now a stub package since dompurify ships its own types starting v3.x. This may affect type imports in the future but is backwards compatible.
  • System: Improved XSS protection through stricter sanitization. No API breaking changes.

Files changed (3):

File Change
libs/a2a-core/package.json Updated dompurify to 3.3.1, @types/dompurify to 3.2.0
libs/designer-ui/package.json Updated dompurify to 3.3.1, @types/dompurify to 3.2.0
pnpm-lock.yaml Lockfile regenerated with updated dependency resolutions

Test Plan

  • Unit tests added/updated
  • E2E tests added/updated
  • Manual testing completed
  • Tested in: CI pipeline — existing unit and E2E tests validate no regressions from the dependency bump

Contributors

@dependabot
chore(deps): bump dompurify and @types/dompurify
78262d6 
Bumps [dompurify](https://github.com/cure53/DOMPurify) and [@types/dompurify](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/dompurify). These dependencies needed to be updated together.

Updates `dompurify` from 3.2.4 to 3.3.1
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.2.4...3.3.1)

Updates `@types/dompurify` from 3.0.5 to 3.2.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/dompurify)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.3.1
  dependency-type: direct:production
- dependency-name: "@types/dompurify"
  dependency-version: 3.2.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 4, 2026
@github-actions
Copy link

github-actions bot commented Mar 4, 2026
edited
Loading

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: chore(deps): bump dompurify 3.2.4→3.3.1 and @types/dompurify 3.0.5→3.2.0
  • Issue: None — the title is clear, follows conventional commit style, and describes the exact dependency updates.
  • Recommendation: No change required.

Commit Type

  • Properly selected (chore).
  • Only one commit type is selected, which is correct for an automated dependency bump PR.

Risk Level

  • The PR body marks Risk Level as Low and the PR has the risk:low label.
  • Assessment: The advised risk level generated from the diff is also low (only package.json and lockfile updates for a minor dependency bump). No discrepancy.

What & Why

  • Current: Bumps dompurify from 3.2.4 → 3.3.1 and @types/dompurify from 3.0.5 → 3.2.0 with notes on security fixes, features, and types change.
  • Issue: None — the explanation is brief and includes key changes and rationale.
  • Recommendation: Optional: you may mention whether any code paths import types from @types/dompurify directly and whether removal of the devDependency will be considered (see note below).

Impact of Change

  • Impact section is present and adequate.
  • Recommendation: (short suggestions to improve clarity)
    • Users: No user-facing changes — keep as-is.
    • Developers: Note that @types/dompurify is a stub and dompurify now ships its own types; consider whether the devDependency can be removed in a follow-up to avoid confusion.
    • System: CI/pass/fail expectation is already mentioned; ensure CI completes successfully before merge.

Test Plan

  • Assessment: The PR marks Manual testing completed and indicates existing CI/unit/E2E tests validate no regressions. The code diff shows only dependency and lockfile changes (no application code), so adding tests is not required.
  • Recommendation: Ensure the CI run completes cleanly. If any manual steps were executed (e.g., local build/test), add a one-line note about them for traceability.

Contributors

  • The automated contributor (@dependabot[bot]) is listed in Contributors.
  • Recommendation: If a human reviewed/approved or enabled auto-merge, consider adding them to Contributors (optional).

⚠️ Screenshots/Videos

  • Not applicable for this dependency-only change.
  • No action needed.

Summary Table

Section Status Recommendation
Title No change required.
Commit Type Correctly selected chore.
Risk Level risk:low label matches advised risk (low).
What & Why Good. Optionally note whether type imports rely on @types to plan removal.
Impact of Change Good. Consider follow-up to remove @types/dompurify since dompurify provides types.
Test Plan CI-based validation noted; ensure CI passes before merging.
Contributors Dependabot present. Add human reviewer if applicable.
Screenshots/Videos ⚠️ Not applicable for this PR.

Final notes:

  • This PR is appropriate as-is and passes the PR title/body checks. The advised risk level generated from the diff is "low", which matches the PR's selected/labelled risk.
  • One actionable suggestion: since dompurify now provides its own TypeScript definitions (as you already note), consider removing the @types/dompurify devDependency in a follow-up or explicitly note in this PR whether you plan to keep or remove it. The diff shows @types/dompurify updated to 3.2.0 and the lockfile marks it as a stub; removing it may slightly reduce maintenance/confusion.
  • Please wait for CI to finish and ensure all pipelines pass before merging.

Please update only if you want to remove @types/dompurify now or to add a note describing any manual verification steps performed locally. Otherwise this PR can be merged once CI is green. Thank you!

Last updated: Thu, 05 Mar 2026 17:28:28 GMT

@github-actions
Copy link

github-actions bot commented Mar 4, 2026
edited
Loading

📊 Coverage Check

No source files changed in this PR.

@github-actions github-actions bot mentioned this pull request Mar 5, 2026
Open
@ccastrotrejo ccastrotrejo changed the title chore(deps): bump dompurify and @types/dompurify chore(deps): bump dompurify 3.2.4→3.3.1 and @types/dompurify 3.0.5→3.2.0 Mar 5, 2026
@ccastrotrejo ccastrotrejo added the risk:low Low risk change with minimal impact label Mar 5, 2026
@ccastrotrejo ccastrotrejo enabled auto-merge (squash) March 5, 2026 16:49
@ccastrotrejo ccastrotrejo merged commit a02e50d into main Mar 5, 2026
12 of 13 checks passed
@ccastrotrejo ccastrotrejo deleted the dependabot/npm_and_yarn/multi-9171c78bff branch March 5, 2026 17:39
This was referenced Mar 6, 2026
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ccastrotrejo ccastrotrejo ccastrotrejo approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code pr-validated risk:low Low risk change with minimal impact

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ccastrotrejo