[Snyk] Upgrade dompurify from 3.0.6 to 3.1.1

[BiraruX]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade dompurify from 3.0.6 to 3.1.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 7 versions ahead of your current version.
• The recommended version was released 22 days ago, on 2024-04-26.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Template Injection SNYK-JS-DOMPURIFY-6474511	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: dompurify

• 3.1.1 - 2024-04-26
  
  • Fixed an mXSS sanitiser bypass reported by @ icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

  Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

• 3.1.0 - 2024-04-07
  
  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated README to warn about happy-dom not being safe for use with DOMPurify yet
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies
• 3.0.11 - 2024-03-21
  
  • Fixed another conditional bypass caused by Processing Instructions, thanks @ Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @ AlekseySolovey3T
• 3.0.10 - 2024-03-19
• 3.0.9 - 2024-02-20
• 3.0.8 - 2024-01-05
• 3.0.7 - 2024-01-04
• 3.0.6 - 2023-09-28

from dompurify GitHub release notes

Commit messages

Package name: dompurify

• 7bbd12b chore: Preparing 3.1.1 release
• 87eff29 Merge branch 'main' of github.com:cure53/DOMPurify
• 809a902 fix: Set the MAX_NESTING_DEPTH to 255 for good measure and adjusted tests
• c0d418c Merge pull request #942 from kyselberg/main
• 2a554b4 docs: additional info in example
• 6e240ec docs: correct hook name and remove misleading comment
• ef4bbb4 chore: Re-generated dist versions
• 1f494b9 Merge pull request #941 from icesfont/fix/deep-nesting-mxss
• 813d065 fix: added __removalCount to account for nodes removed from parents when calculating depth
• 6dbc2bd fix: Fixed a faulty edit and changed the code acccordingly
• 65d35b8 fix: Added experimental __depth increment for copied elements
• 4299c0a fix: Added __depth tracking for ShadowDOM and template elements as well
• 81d963c fix: Slightly changed the execution order for __depth tracking
• ce799c3 fix: Added __depth field to sanitized DOM nodes for better tracking
• f051738 fix: Fixed an off-by-one with the nesting counter causing over-sanitization
• c725ce0 fix: Changed the behavior of the nesting counter ever so slightly
• c5369f2 fix: Addressed a possible bypass issue caused by deep-nesting
• 632f122 see #939
• 3375f4c docs: Updated the year in LICENSE file
• 0cf9d2d chore: Preparing 3.1.0 release
• 933b9de See #931
• bf1f5cf fix: Changed the SAFE_FOR_XML config assignment slightly
• e2c857e docs: Modified the README slightly regarding the happy-dom warning
• 3a00950 feature: Added new config option to control comment sanitization

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs