Skip to content

Update dompurify override to 3.3.3 to resolve reopened GHSA-v2wj-7wpq-c8vv#1634

Merged
TalZaccai merged 3 commits intomainfrom
copilot/investigate-reopened-dependabot-alerts
Mar 17, 2026
Merged

Update dompurify override to 3.3.3 to resolve reopened GHSA-v2wj-7wpq-c8vv#1634
TalZaccai merged 3 commits intomainfrom
copilot/investigate-reopened-dependabot-alerts

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 17, 2026

PR #1604 pinned dompurify to 3.3.1 in npm overrides when GHSA-v2wj-7wpq-c8vv had no upstream fix. DOMPurify 3.3.2 later patched the vulnerability, and dependabot PR #1617 bumped yarn.lock to 3.3.3 — but left the overrides pin at 3.3.1, which is still in the vulnerable range (>=3.1.3 <=3.3.1), reopening the alert.

  • Updated website/package.json override from "dompurify": "3.3.1""dompurify": "3.3.3" to align with yarn.lock and exit the vulnerable range

Copilot AI and others added 3 commits March 17, 2026 00:13
Initial plan
a33b543
@TalZaccai
Initial plan for fixing reopened dependabot alerts
22b5135 
Co-authored-by: TalZaccai <18443527+TalZaccai@users.noreply.github.com>
@TalZaccai
Update dompurify override from 3.3.1 to 3.3.3 to fix GHSA-v2wj-7wpq-c8vv
d90265e 


Co-authored-by: TalZaccai <18443527+TalZaccai@users.noreply.github.com>
@TalZaccai TalZaccai marked this pull request as ready for review March 17, 2026 00:21
Copilot AI review requested due to automatic review settings March 17, 2026 00:21
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the website dependency pinning to address a reopened DOMPurify security advisory (GHSA-v2wj-7wpq-c8vv) by moving off the vulnerable <=3.3.1 range.

Changes:

  • Bumps dompurify version pin in website/package.json overrides from 3.3.1 to 3.3.3.
  • Updates website/yarn.lock (large lockfile churn), but currently still resolves dompurify to 3.3.1.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
website/package.json Updates the dompurify override pin to 3.3.3.
website/yarn.lock Lockfile updated, but still pins dompurify to 3.3.1 (vulnerable).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Copilot AI requested a review from TalZaccai March 17, 2026 00:31
Copilot stopped work on behalf of TalZaccai due to an error March 17, 2026 00:31
The session was cancelled by the user.
@TalZaccai TalZaccai merged commit 638b55b into main Mar 17, 2026
16 of 17 checks passed
@TalZaccai TalZaccai deleted the copilot/investigate-reopened-dependabot-alerts branch March 17, 2026 00:56
Copilot AI mentioned this pull request Mar 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@badrishc badrishc badrishc approved these changes

@TalZaccai TalZaccai Awaiting requested review from TalZaccai

Assignees

@TalZaccai TalZaccai

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@badrishc @TalZaccai