Bump vendored dompurify from 3.2.7 to 3.4.5

[jonkoops]

Updates the vendored DOMPurify copy at src/vs/base/browser/dompurify/ from 3.2.7 to 3.4.5, addressing the following CVEs:

CVE	Severity	Fixed in
CVE-2026-0540	Medium (6.1)	3.3.2
CVE-2026-41238	Medium (6.9)	3.4.0
CVE-2026-41239	Medium (6.8)	3.4.0
CVE-2026-41240	Medium (6.0)	3.4.0

VS Code's usage (via domSanitize.ts) does not exercise the affected code paths for most of these CVEs, as it never uses SAFE_FOR_TEMPLATES, CUSTOM_ELEMENT_HANDLING, function-form ADD_TAGS/ADD_ATTR, or FORBID_TAGS.

Fixes #313084

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the vendored DOMPurify dependency to a newer upstream release and aligns repository metadata/licensing accordingly.

Changes:

• Bump DOMPurify from 3.2.7 to 3.4.5 (vendored JS + typings).
• Update third-party notices and component governance manifest to reflect the new version/commit.
• Refresh DOMPurify license/copyright attribution.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/vs/base/browser/dompurify/dompurify.js	Update vendored DOMPurify runtime to 3.4.5 (includes upstream security/behavior changes).
src/vs/base/browser/dompurify/dompurify.d.ts	Update DOMPurify typings for 3.4.5, including config surface changes.
src/vs/base/browser/dompurify/cgmanifest.json	Bump tracked DOMPurify tag/version and commit hash.
src/vs/base/browser/dompurify/dompurify.license.txt	Update license header attribution details.
ThirdPartyNotices.txt	Update DOMPurify version listed in third-party notices.