Skip to content

[Snyk] Security upgrade dompurify from 3.3.0 to 3.3.2#259

Open
graymalkin77 wants to merge 1 commit intomainfrom
snyk-fix-e3fb118e2435a4129bdf64a7e00359dd
Open

[Snyk] Security upgrade dompurify from 3.3.0 to 3.3.2#259
graymalkin77 wants to merge 1 commit intomainfrom
snyk-fix-e3fb118e2435a4129bdf64a7e00359dd

Conversation

@graymalkin77
Copy link
Copy Markdown

@graymalkin77 graymalkin77 commented Mar 29, 2026

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • package.json
  • package-lock.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
medium severity Cross-site Scripting (XSS)
SNYK-JS-DOMPURIFY-15810938		   658  

Breaking Change Risk

Merge Risk: Medium

Notice: This assessment is enhanced by AI.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)

@graymalkin77
Copy link
Copy Markdown
Author

graymalkin77 commented Mar 29, 2026

Merge Risk: Medium

This is a patch upgrade that includes security fixes and bug corrections.

Highlights:

  • v3.3.2: This version addresses a potential bypass in jsdom, a prototype pollution issue, and fixes lenient configuration parsing.
  • v3.3.1: This version extended the ADD_FORBID_CONTENTS setting and corrected the ESM import syntax.

Potential Impact:
The fix for "lenient config parsing in _isValidAttribute" in version 3.3.2 introduces stricter validation. While this is a bug fix, it could be a behavioral change for any implementation that was unintentionally relying on the previous, more lenient parsing. This change warrants a medium risk assessment.

Recommendation:
Verify that any custom configurations for DOMPurify attributes are still behaving as expected after the upgrade.

Source: GitHub Releases

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Copilot AI review requested due to automatic review settings March 29, 2026 22:36
@graymalkin77
Copy link
Copy Markdown
Author

graymalkin77 commented Mar 29, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

github-actions Bot added a commit that referenced this pull request Mar 29, 2026
@github-actions
deploy: preview for PR #259 (423c44f)
afd0b2a
Copilot AI reviewed Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Upgrades dompurify to remediate a reported XSS vulnerability in this webchat widget’s npm dependency set.

Changes:

  • Bump dompurify from 3.3.0 to 3.3.2 in package.json.
  • Update package-lock.json to install dompurify@3.3.2 (including updated tarball/integrity metadata).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Pins dompurify to 3.3.2 to address the Snyk-reported vulnerability.
package-lock.json Updates the lockfile to reflect dompurify@3.3.2 in node_modules.

kwinto added a commit that referenced this pull request Apr 17, 2026
@kwinto
chore: refresh dependencies within current majors
9f5e49e 
Lockfile refresh (no package.json change, resolved via existing caret ranges):
- @emotion/react 11.14.0, @emotion/styled 11.14.1
- @reduxjs/toolkit 2.2.7 → 2.11.2
- moment 2.30.1, react-hot-toast 2.4.1 → 2.6.0
- react-markdown 9.0.3 → 9.1.0, react-remove-scroll 2.7.2
- remark-gfm 4.0.1, @braintree/sanitize-url 6.0.4
- redux 4.2.1

Pin bumps (patch/minor, same major):
- @emotion/serialize 1.3.0 → 1.3.3
- dompurify 3.3.2 → 3.4.0 (supersedes snyk PRs #272, #261, #259, #256, #241, #233)
- react-redux 7.2.8 → 7.2.9 (supersedes snyk PRs #242, #234, #36)

Socket-client pinned at 5.0.0-beta.26 (current beta; latest tag is 4.9.2).
Major bumps deferred: @emotion/cache 10→11, react-redux →9, redux →5,
react-responsive →10, react-markdown →10, uuid →13, stylis →4,
@braintree/sanitize-url →7.

Build passes (UMD + ESM). tsc:check error count unchanged (75, pre-existing).
@kwinto kwinto mentioned this pull request Apr 17, 2026
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@graymalkin77 @snyk-bot