build(deps): bump github/codeql-action from 4.35.1 to 4.35.2 by dependabot[bot] · Pull Request #1288 · cure53/DOMPurify

dependabot · 2026-04-17T22:03:20Z

Bumps github/codeql-action from 4.35.1 to 4.35.2.

Release notes

Sourced from github/codeql-action's releases.

v4.35.2

The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795

The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789

Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794

Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807

Update default CodeQL bundle version to 2.25.2. #3823

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.35.2 - 15 Apr 2026

The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795

The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789

Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794

Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807

Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767

Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569

We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584

Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

To opt out of this change:

Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

... (truncated)

Commits

95e58e9 Merge pull request #3824 from github/update-v4.35.2-d2e135a73
6f31bfe Update changelog for v4.35.2
d2e135a Merge pull request #3823 from github/update-bundle/codeql-bundle-v2.25.2
60abb65 Add changelog note
5a0a562 Update default bundle to codeql-bundle-v2.25.2
6521697 Merge pull request #3820 from github/dependabot/github_actions/dot-github/wor...
3c45af2 Merge pull request #3821 from github/dependabot/npm_and_yarn/npm-minor-345b93...
f1c3393 Rebuild
1024fc4 Rebuild
9dd4cfe Bump the npm-minor group across 1 directory with 6 updates
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.1 to 4.35.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c10b806...95e58e9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

@1Jesper1

* build(deps): bump @tootallnate/once and jsdom (#1214) Removes [@tootallnate/once](https://github.com/TooTallNate/once). It's no longer used after updating ancestor dependency [jsdom](https://github.com/jsdom/jsdom). These dependencies need to be updated together. Removes `@tootallnate/once` Updates `jsdom` from 20.0.3 to 28.1.0 - [Release notes](https://github.com/jsdom/jsdom/releases) - [Changelog](https://github.com/jsdom/jsdom/blob/main/Changelog.md) - [Commits](jsdom/jsdom@20.0.3...28.1.0) --- updated-dependencies: - dependency-name: "@tootallnate/once" dependency-version: dependency-type: indirect - dependency-name: jsdom dependency-version: 28.1.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump serialize-javascript and @rollup/plugin-terser (#1213) Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) to 7.0.4 and updates ancestor dependency [@rollup/plugin-terser](https://github.com/rollup/plugins/tree/HEAD/packages/terser). These dependencies need to be updated together. Updates `serialize-javascript` from 6.0.2 to 7.0.4 - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v6.0.2...v7.0.4) Updates `@rollup/plugin-terser` from 0.4.4 to 1.0.0 - [Changelog](https://github.com/rollup/plugins/blob/master/packages/terser/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/beep-v1.0.0/packages/terser) --- updated-dependencies: - dependency-name: serialize-javascript dependency-version: 7.0.4 dependency-type: indirect - dependency-name: "@rollup/plugin-terser" dependency-version: 1.0.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: Fixed a problem with the type defition patcher after Node version bump * build(deps-dev): bump undici from 7.23.0 to 7.24.1 (#1216) Bumps [undici](https://github.com/nodejs/undici) from 7.23.0 to 7.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.23.0...v7.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 7.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump flatted from 3.4.1 to 3.4.2 (#1218) Bumps [flatted](https://github.com/WebReflection/flatted) from 3.4.1 to 3.4.2. - [Commits](WebReflection/flatted@v3.4.1...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * test: Added more browser launchers to stay up-to-date * test: Testing whether the Browser Stack "latest" labels work * test: Expanded range of tested Node versions into both directions * fix: Removed Node 26 test target again, not available yet * fix: Removed Node 16 test target as it breaks * Update README.md (#1222) * build(deps-dev): bump serialize-javascript from 7.0.4 to 7.0.5 (#1223) Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) from 7.0.4 to 7.0.5. - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v7.0.4...v7.0.5) --- updated-dependencies: - dependency-name: serialize-javascript dependency-version: 7.0.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump lodash from 4.17.23 to 4.18.1 (#1228) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump lodash-es from 4.17.23 to 4.18.1 (#1225) Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash-es dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Create scorecard.yml * fix: FORBID_TAGS must win over ADD_TAGS function predicate (#1230) Mirrors the FORBID_ATTR early-exit pattern (c361baa, line 1214) for FORBID_TAGS. When EXTRA_ELEMENT_HANDLING.tagCheck is a function that returns true, the short-circuit evaluation previously skipped the FORBID_TAGS check, allowing forbidden elements through. Moves FORBID_TAGS[tagName] to an OR at the top of the condition so the removal block is always entered for forbidden tags regardless of the tagCheck predicate result. * Update build-and-test.yml * [StepSecurity] Apply security best practices (#1231) Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> * build(deps-dev): bump jsdom from 28.1.0 to 29.0.2 (#1240) Bumps [jsdom](https://github.com/jsdom/jsdom) from 28.1.0 to 29.0.2. - [Release notes](https://github.com/jsdom/jsdom/releases) - [Commits](jsdom/jsdom@v28.1.0...v29.0.2) --- updated-dependencies: - dependency-name: jsdom dependency-version: 29.0.2 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump rollup-plugin-dts from 6.4.0 to 6.4.1 (#1239) Bumps [rollup-plugin-dts](https://github.com/Swatinem/rollup-plugin-dts) from 6.4.0 to 6.4.1. - [Changelog](https://github.com/Swatinem/rollup-plugin-dts/blob/master/CHANGELOG.md) - [Commits](Swatinem/rollup-plugin-dts@v6.4.0...v6.4.1) --- updated-dependencies: - dependency-name: rollup-plugin-dts dependency-version: 6.4.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump cross-env from 7.0.3 to 10.1.0 (#1238) Bumps [cross-env](https://github.com/kentcdodds/cross-env) from 7.0.3 to 10.1.0. - [Release notes](https://github.com/kentcdodds/cross-env/releases) - [Changelog](https://github.com/kentcdodds/cross-env/blob/main/CHANGELOG.md) - [Commits](kentcdodds/cross-env@v7.0.3...v10.1.0) --- updated-dependencies: - dependency-name: cross-env dependency-version: 10.1.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/upload-artifact from 4.6.1 to 7.0.1 (#1237) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.1 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@4cec3d8...043fb46) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump @rollup/plugin-node-resolve from 15.3.1 to 16.0.3 (#1236) Bumps [@rollup/plugin-node-resolve](https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve) from 15.3.1 to 16.0.3. - [Changelog](https://github.com/rollup/plugins/blob/master/packages/node-resolve/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/node-resolve-v16.0.3/packages/node-resolve) --- updated-dependencies: - dependency-name: "@rollup/plugin-node-resolve" dependency-version: 16.0.3 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 (#1235) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.1 to 2.4.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@f49aabe...4eaacf0) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/checkout from 4.2.2 to 6.0.2 (#1234) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.2.2...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump @babel/preset-env from 7.29.0 to 7.29.2 (#1233) Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) from 7.29.0 to 7.29.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.2/packages/babel-preset-env) --- updated-dependencies: - dependency-name: "@babel/preset-env" dependency-version: 7.29.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#1232) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3.35.1...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Added CONTRIBUTIONS.md * chore: Regenerated dist versions * fix: added osv-scanner.toml to ignore flagged deps * chore: update build-and-test.yml to get rid of a warning * docs: update README.md with OSF results * docs: update build-and-test.yml name * docs: update README.md badges * test: removed nine really old browsers from karma tests * fix: apply SAFE_FOR_TEMPLATES scrub in RETURN_DOM path (#1241) The RETURN_DOM path returns before the final template expression scrub, allowing split mustache expressions to reconstruct after element removal. Normalize adjacent text nodes and scrub body before building the return node. Co-authored-by: Developer <dev@devcontainer.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: prevent ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls (#1242) When sanitize() is called with ADD_ATTR or ADD_TAGS as a function, the function reference is stored in EXTRA_ELEMENT_HANDLING. A subsequent call that passes ADD_ATTR/ADD_TAGS as an array did not clear the stored function because objectHasOwnProperty(cfg, 'ADD_ATTR') returned true, skipping the conditional reset. The leaked function is evaluated before URI/tag checks, so a permissive function (returning true) lets dangerous attributes (e.g. javascript: URIs) or forbidden tags (e.g. iframe) through on later calls. Fix: unconditionally reset tagCheck/attributeCheck to null on every _parseConfig() call, then only set them if the current config provides a function. This ensures no cross-call leakage. Includes regression tests for both ADD_ATTR and ADD_TAGS leakage scenarios. * test: reduced number of tested browsers again to be at 24 * Fix mathML attributes (#1243) * test: reducing BS browser array once more to get unstuck * test: temporarily reduced browser test array to four main items :-( * build(deps-dev): bump eslint-config-prettier from 8.10.2 to 10.1.8 (#1244) Bumps [eslint-config-prettier](https://github.com/prettier/eslint-config-prettier) from 8.10.2 to 10.1.8. - [Release notes](https://github.com/prettier/eslint-config-prettier/releases) - [Changelog](https://github.com/prettier/eslint-config-prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/eslint-config-prettier/commits/v10.1.8) --- updated-dependencies: - dependency-name: eslint-config-prettier dependency-version: 10.1.8 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump rollup from 3.30.0 to 4.60.1 (#1246) Bumps [rollup](https://github.com/rollup/rollup) from 3.30.0 to 4.60.1. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v3.30.0...v4.60.1) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.60.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#1249) Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0) --- updated-dependencies: - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * test: carefully expanded array of tested BS browsers again * test: experimenting with new BS config to avoid the freezes test: removed two Safari versions as they might be the cause docs: updated version numbers for upcoming release * test: reverted to old BS config values as they worked better * Update LICENSE (#1254) * test: added three more browsers to test array (OSX, mobile) * Update karma.custom-launchers.config.js (#1256) * docs: updated list of contributors and fixed some outdated docs (#1257) * Update README.md (#1258) * test: added first scaffold for a simple data type and config fuzzer * test: added first scaffold for a simple data type and config fuzzer (#1259) * build(deps-dev): bump @rollup/plugin-babel from 6.1.0 to 7.0.0 (#1264) Bumps [@rollup/plugin-babel](https://github.com/rollup/plugins/tree/HEAD/packages/babel) from 6.1.0 to 7.0.0. - [Changelog](https://github.com/rollup/plugins/blob/master/packages/babel/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/url-v7.0.0/packages/babel) --- updated-dependencies: - dependency-name: "@rollup/plugin-babel" dependency-version: 7.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump @types/node from 16.18.126 to 25.6.0 (#1262) Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.126 to 25.6.0. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.6.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cure53 <mario@cure53.de> * build(deps-dev): bump rollup-plugin-typescript2 from 0.36.0 to 0.37.0 (#1263) Bumps [rollup-plugin-typescript2](https://github.com/ezolenko/rollup-plugin-typescript2) from 0.36.0 to 0.37.0. - [Release notes](https://github.com/ezolenko/rollup-plugin-typescript2/releases) - [Changelog](https://github.com/ezolenko/rollup-plugin-typescript2/blob/master/CHANGELOG.md) - [Commits](ezolenko/rollup-plugin-typescript2@0.36.0...0.37.0) --- updated-dependencies: - dependency-name: rollup-plugin-typescript2 dependency-version: 0.37.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cure53 <mario@cure53.de> * test: Extended the fuzzer a bit to cover the config object * Cure53 basic fuzzer (#1265) * test: added first scaffold for a simple data type and config fuzzer * test: Extended the fuzzer a bit to cover the config object * test: expanded fuzzer test coverage for bad config values fix: fixed several crashes caused by bad config values and data types fix: added necessary utility messages to utils.js * Cure53 basic fuzzer (#1266) * test: added first scaffold for a simple data type and config fuzzer * test: Extended the fuzzer a bit to cover the config object * test: expanded fuzzer test coverage for bad config values fix: fixed several crashes caused by bad config values and data types fix: added necessary utility messages to utils.js * fix: made the NAMESAPCE config handling less crashy * fix: added better config hardening and removed crash potentials test: expanded test suite to cover above changes * Update README.md Added new badge, added `npm run test:fuzz` info * chore(deps): bump rimraf, prettier, eslint-plugin-prettier, minimist * style: reformat codebase with Prettier 3 * chore(test): migrate from Karma to Playwright for browser tests Karma has been deprecated since April 2023 and has been blocking Dependabot updates across the dev-dependency tree. This migration replaces it with Playwright while preserving all existing test logic. Changes: - Replace Karma + karma-* plugin ecosystem with @playwright/test - Add tiny zero-dep static file server for the Playwright webServer - Add HTML runner pages for dist/purify.js and dist/purify.min.js that load QUnit, jQuery, DOMPurify, test-suite.js, and an ES module entry - Add Playwright spec that drives each runner, waits for QUnit.done, and surfaces per-assertion failure detail on error - Drop rollup-plugin-includepaths (was only aliasing 'purify' for Karma) - Drop minimist (was only used by the old custom-launchers config) - Update build-and-test.yml to install Playwright browsers and upload playwright-report/ artifact on failure Unchanged: - test/test-suite.js (2398 lines of QUnit assertions) - test/bootstrap-test-suite.js - test/fixtures/expect.mjs - test/config/setup.js - test/jsdom-node-runner.js, test/jsdom-node.js - test/fuzz/** - rollup.config.js, src/**, scripts/** Browser coverage: chromium, firefox, and webkit run locally and on non-BrowserStack CI (3 rendering engines: Blink, Gecko, WebKit). The 28-browser BrowserStack matrix is temporarily disabled and will be restored in a follow-up PR via browserstack-node-sdk. Test counts verified identical pre/post migration: 911 QUnit tests × 2 suites, all passing. * fix(test): harden test/browser/server.js against path traversal and reflected XSS * ci(test): add cross-OS browser matrix (ubuntu + macOS + windows) * fix: added pinning hash for dependency * Update README.md Updated browser test coverage info * build: migrate rollup-plugin-typescript2 and pre-commit Switch rollup-plugin-typescript2 → @rollup/plugin-typescript (official, actively maintained by the Rollup team). Type declaration pipeline is unaffected — types are generated by tsc directly, not the rollup plugin. Switch pre-commit → husky (modern standard, zero runtime deps, actively maintained). Hook behavior is identical: lint + build + stage dist files. The prepare script ensures hooks install automatically on npm install. * chore: cleaned up two ignored issues from OSV TOML file * chore: removed some unneeded files build: made sure npx is properly pinned and not flagged by scorecard * chore: removed some unneeded files (#1279) build: made sure npx is properly pinned and not flagged by scorecard Co-authored-by: Mario Heiderich <mario.heiderich@gmail.com> * Create CODEOWNERS (#1280) * Update build-and-test.yml (#1282) * build(deps): bump github/codeql-action from 4.35.1 to 4.35.2 (#1288) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.1 to 4.35.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c10b806...95e58e9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1 (#1286) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...043fb46) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cure53 <mario@cure53.de> * build(deps): bump step-security/harden-runner from 2.17.0 to 2.18.0 (#1285) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.17.0 to 2.18.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@f808768...6c3c2f2) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.18.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cure53 <mario@cure53.de> * build(deps-dev): bump fast-check from 4.6.0 to 4.7.0 (#1287) Bumps [fast-check](https://github.com/dubzzz/fast-check/tree/HEAD/packages/fast-check) from 4.6.0 to 4.7.0. - [Release notes](https://github.com/dubzzz/fast-check/releases) - [Changelog](https://github.com/dubzzz/fast-check/blob/main/packages/fast-check/CHANGELOG.md) - [Commits](https://github.com/dubzzz/fast-check/commits/v4.7.0/packages/fast-check) --- updated-dependencies: - dependency-name: fast-check dependency-version: 4.7.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cure53 <mario@cure53.de> * Update purify.ts (#1290) chore: removed some risky dead code, thanks @1Jesper1 * Update config.ts (#1291) chore: fixed a typo, thanks @1Jesper1 * Update README.md (#1292) * build(deps-dev): bump rollup from 4.60.1 to 4.60.2 (#1294) Bumps [rollup](https://github.com/rollup/rollup) from 4.60.1 to 4.60.2. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.60.1...v4.60.2) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.60.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update attrs.ts (#1295) fix: removed a duplicate entry * Cure53 code hardening (#1296) * chore: added stronger check for HTML Custom Element tagnames cxhore: added stronger check for IN_PLACE tagname types * test: add regression and pinning tests from April 2026 review * test: added more fuzzer properties and a negative check (#1297) * Cure53 fuzzer update (#1298) * test: added more fuzzer properties and a negative check * chore: getting ready for 3.4.1 release * Create sign-release.yml (#1303) * Create sign-release.yml * Create slsa-provenance.yml * Update scorecard.yml (#1304) * Update scorecard.yml * Update sign-release.yml * Update slsa-provenance.yml * Update sign-release.yml * Update slsa-provenance.yml (#1305) * Update slsa-provenance.yml * Update sign-release.yml * Update slsa-provenance.yml * Update scorecard.yml (#1306) * Update scorecard.yml (#1307) * chore: added new workflow files for a first test (#1308) * chore: added new workflow files for a first test * chore: adjusted the build-and-test workflow slightly * chore: added a build-and-test-skip workflow to save on time and CPU * Cure53 expanding tests (#1310) * test: expanded test coverage for form clobbering and type confusions * test: removed some outdated comments in test suite * Update build-and-test.yml (#1311) * build(deps): bump actions/attest-build-provenance from 2.2.3 to 4.1.0 (#1315) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 2.2.3 to 4.1.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@c074443...a2bbfa2) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/setup-node from 6.3.0 to 6.4.0 (#1314) Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.3.0 to 6.4.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@53b8394...48b55a0) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump sigstore/gh-action-sigstore-python from 3.2.0 to 3.3.0 (#1312) Bumps [sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/sigstore/gh-action-sigstore-python/releases) - [Changelog](https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md) - [Commits](sigstore/gh-action-sigstore-python@a5caf34...04cffa1) --- updated-dependencies: - dependency-name: sigstore/gh-action-sigstore-python dependency-version: 3.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump step-security/harden-runner from 2.18.0 to 2.19.0 (#1313) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.18.0 to 2.19.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@6c3c2f2...8d3c67d) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update package.json (#1317) fix #1316 * build(deps-dev): bump jsdom from 29.0.2 to 29.1.0 (#1318) Bumps [jsdom](https://github.com/jsdom/jsdom) from 29.0.2 to 29.1.0. - [Release notes](https://github.com/jsdom/jsdom/releases) - [Commits](jsdom/jsdom@v29.0.2...v29.1.0) --- updated-dependencies: - dependency-name: jsdom dependency-version: 29.1.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: apply URI validation to attributes allowed via ADD_ATTR callback (#1320) * fix: apply URI validation to attributes allowed via ADD_ATTR callback The function form of ADD_ATTR (introduced in PR #1150) allowed attribute names to bypass URI scheme validation. When the attributeCheck callback returned true, the attribute value was accepted without checking it against IS_ALLOWED_URI, meaning javascript: and data: URIs could pass through unsanitized. The array form of ADD_ATTR and the default ALLOWED_ATTR set both flow through URI validation correctly; the function form now does too. The fix removes the attributeCheck branch as a separate early-exit and folds it into the name-permitted test that precedes value validation: const nameIsPermitted = ALLOWED_ATTR[lcName] || (EXTRA_ELEMENT_HANDLING.attributeCheck instanceof Function && EXTRA_ELEMENT_HANDLING.attributeCheck(lcName, lcTag)); } else if (!nameIsPermitted || FORBID_ATTR[lcName]) { Tests added: javascript: URI is stripped when href is allowed via ADD_ATTR callback; safe https: URI is preserved. * test: use assert.equal to avoid CodeQL substring URL warning * release: 3.4.2 (#1321) --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: kodareef5 <kodareef5@gmail.com> Co-authored-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: bencalif <ben@calif.io> Co-authored-by: Developer <dev@devcontainer.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: 1Jesper1 <1jesper1@gmail.com> Co-authored-by: David Oliver <github_0UEMJhIUyGLn7@doliver.co.uk> Co-authored-by: Mario Heiderich <mario.heiderich@gmail.com> Co-authored-by: Drew Neil <andrew.jr.neil@gmail.com>

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 17, 2026

dependabot Bot requested a review from x00mario as a code owner April 17, 2026 22:03

x00mario approved these changes Apr 18, 2026

View reviewed changes

cure53 merged commit 9b36c07 into main Apr 18, 2026
10 checks passed

dependabot Bot deleted the dependabot/github_actions/github/codeql-action-4.35.2 branch April 18, 2026 11:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build(deps): bump github/codeql-action from 4.35.1 to 4.35.2#1288

build(deps): bump github/codeql-action from 4.35.1 to 4.35.2#1288
cure53 merged 1 commit into
mainfrom
dependabot/github_actions/github/codeql-action-4.35.2

dependabot Bot commented on behalf of github Apr 17, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github Apr 17, 2026

v4.35.2

CodeQL Action Changelog

[UNRELEASED]

4.35.2 - 15 Apr 2026

4.35.1 - 27 Mar 2026

4.35.0 - 27 Mar 2026

4.34.1 - 20 Mar 2026

4.34.0 - 20 Mar 2026

4.33.0 - 16 Mar 2026

4.32.6 - 05 Mar 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants