chore(deps): update dependency dompurify to v3.4.1

[thomhurst]

This PR contains the following updates:

Package	Type	Update	Change
dompurify	resolutions	patch	3.4.0 → 3.4.1

---

Release Notes

cure53/DOMPurify (dompurify)

v3.4.1: DOMPurify 3.4.1

Compare Source

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes. Give us feedback}

[claude]

Dependency Update Review: DOMPurify 3.4.0 → 3.4.1

This is a Renovate-managed patch bump and looks correct.

What changed

• docs/package.json: version string updated
• docs/yarn.lock: version, resolved URL, SHA-1, and SHA-512 integrity hash all updated consistently

No C#/.NET source, engine, or test code is touched.

Security value

Despite being a patch release, v3.4.1 contains meaningful security hardening:

• On-handler stripping fix for HTML-spec-reserved custom element names (e.g., font-face) under permissive CUSTOM_ELEMENT_HANDLING
• Case-sensitivity gap in the annotation-xml check closed — mixed-case variants could previously bypass the custom-element exclusion in XHTML mode
• DOM-clobbering robustness improvement in the IN_PLACE root-node check
• SANITIZE_NAMED_PROPS double-prefix bug fixed

Even in a docs context, keeping DOMPurify current is worthwhile given its role as an XSS mitigation library.

Verdict

Safe to merge. The lockfile integrity is consistent, the scope is limited to the docs directory, and the patch brings concrete security improvements with no breaking changes expected.