chore(deps): update dependency dompurify to v3.4.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
dompurify	3.3.3 → 3.4.0

GitHub Vulnerability Alerts

GHSA-39q2-94rc-95cp

Summary

In src/purify.ts:1117-1123, ADD_TAGS as a function (via EXTRA_ELEMENT_HANDLING.tagCheck) bypasses FORBID_TAGS due to short-circuit evaluation.

The condition:

!(tagCheck(tagName)) && (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName])

When tagCheck(tagName) returns true, the entire condition is false and the element is kept — FORBID_TAGS[tagName] is never evaluated.

Inconsistency

This contradicts the attribute-side pattern at line 1214 where FORBID_ATTR explicitly wins first:

if (FORBID_ATTR[lcName]) { continue; }

For tags, FORBID should also take precedence over ADD.

Impact

Applications using both ADD_TAGS as a function and FORBID_TAGS simultaneously get unexpected behavior — forbidden tags are allowed through. Config-dependent but a genuine logic inconsistency.

Suggested Fix

Check FORBID_TAGS before tagCheck:

if (FORBID_TAGS[tagName]) { /* remove */ }
else if (tagCheck(tagName) || ALLOWED_TAGS[tagName]) { /* keep */ }

Affected Version

v3.3.3 (commit 883ac15)

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

---

Release Notes

cure53/DOMPurify (dompurify)

v3.4.0: DOMPurify 3.4.0

Compare Source

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here:
https://github.com/cure53/DOMPurify/security/advisories?state=published

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Note

Low Risk
Dependency-only update plus minor Renovate/script configuration changes; minimal runtime impact beyond the updated sanitizer behavior.

Overview
Bumps dompurify from 3.3.3 to 3.4.0 in both the library and the example app, updating the corresponding lockfiles.

Adds an npm audit script to example/package.json and tweaks renovate.json so security/vulnerability-alert updates use rangeStrategy: "bump".

^{Reviewed by Cursor Bugbot for commit c735516. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

📦 Bundle Size Report

Metric	Current	Previous	Change	Status
Total (gzip)	208.05 kB	208.04 kB	+14 B (+0.0%)	🔴
Total (raw)	558.87 kB	558.87 kB	0 B (0%)	🟢
CSS (gzip)	20.11 kB	20.11 kB	0 B (0%)	🟢
CSS (raw)	103.71 kB	103.71 kB	0 B (0%)	🟢

Size Limits

• ✅ Total gzipped: 208.05 kB / 250 kB (83.2%)
• ✅ Total raw: 558.87 kB / 600 kB (93.1%)
• ✅ CSS gzipped: 20.11 kB / 25 kB (80.4%)

Largest Files (Top 5)

1. chunk-RXNDKUY6.js - 13.83 kB (0 B (0%))
2. index.css - 10.05 kB (0 B (0%))
3. styles.css - 10.05 kB (0 B (0%))
4. index.js - 6.05 kB (+6 B (+0.1%))
5. chunk-WZE2IQ3A.js - 5.93 kB (0 B (0%))

View All Files (310 total)

File	Size (gzip)	Change
chunk-RXNDKUY6.js	13.83 kB	0 B (0%)
index.css	10.05 kB	0 B (0%)
styles.css	10.05 kB	0 B (0%)
index.js	6.05 kB	+6 B (+0.1%)
chunk-WZE2IQ3A.js	5.93 kB	0 B (0%)
chunk-R47Q7R6C.js	5.82 kB	0 B (0%)
chunk-YZKXKNDS.js	4.4 kB	0 B (0%)
chunk-Y4A7NMBJ.js	4.23 kB	0 B (0%)
chunk-HLR7IUW7.js	4.06 kB	0 B (0%)
chunk-2NQD4WDS.js	3.46 kB	new

✅ Bundle size check passed

[github-actions]

Deploy preview for remote-flows-example-app ready!

✅ Preview
https://remote-flows-example-p8550plr3-remotecom.vercel.app

Built with commit c735516.
This pull request is being automatically deployed with vercel-action

[github-actions]

Deploy preview for remote-flows ready!

✅ Preview
https://remote-flows-ijpgxnyyd-remotecom.vercel.app

Built with commit c735516.
This pull request is being automatically deployed with vercel-action

[github-actions]

📊 Coverage Report

⚪ Coverage unchanged

Metric	Current	Previous	Change	Status
Lines	89.94%	89.94%	0%	⚪
Statements	89.61%	89.61%	0%	⚪
Functions	87.47%	87.47%	0%	⚪
Branches	79.78%	79.78%	0%	⚪

Detailed Breakdown

Lines Coverage

• Covered: 3575 / 3975
• Coverage: 89.94%
• Change: 0% (0 lines)

Statements Coverage

• Covered: 3638 / 4060
• Coverage: 89.61%
• Change: 0% (0 statements)

Functions Coverage

• Covered: 984 / 1125
• Coverage: 87.47%
• Change: 0% (0 functions)

Branches Coverage

• Covered: 2217 / 2779
• Coverage: 79.78%
• Change: 0% (0 branches)

✅ Coverage check passed

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.