[Bug] CVE-2025-26791 reported against DOMPurify 3.1.7 used in monaco-editor 0.52.2

[kushalanand25]

Reproducible in vscode.dev or in VS Code Desktop?

• Not reproducible in vscode.dev or VS Code Desktop

Reproducible in the monaco editor playground?

• Not reproducible in the monaco editor playground

Monaco Editor Playground Link

NA

Monaco Editor Playground Code

NA

Reproduction Steps

NA

Actual (Problematic) Behavior

DOMPurify library 3.1.7 referenced in 0.52.2 version is having publicly reported CVE : https://nvd.nist.gov/vuln/detail/CVE-2025-26791
which has been fixed in below issue as part of DOMPurify 3.2.4 release.
cure53/DOMPurify#1064

Referenced DOMPurify version needs to updated in monaco editor to fix inherent vulnerability.

Expected Behavior

No response

Additional Context

No response

[hediet]

That CVE is about scenarios that use SAFE_FOR_TEMPLATES. We don't make use of that flag.

[kushalanand25]

[Off topic maybe]
Is there a reason monaco-editor 0.52.2 refers to older 0.52.0-rc2 version of monaco-editor-core
https://github.com/microsoft/monaco-editor/blob/main/package.json#L55

And latest version of vscode is having DOMPurify 3.2.4 and no new version of monaco editor is released in recent time.
Given some dependencies are web-packed.