chore: bump up dompurify version to v3.3.2 [SECURITY] (#14581)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [dompurify](https://redirect.github.com/cure53/DOMPurify) | [`3.3.0` →
`3.3.2`](https://renovatebot.com/diffs/npm/dompurify/3.3.0/3.3.2) |
![age](https://developer.mend.io/api/mc/badges/age/npm/dompurify/3.3.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/dompurify/3.3.0/3.3.2?slim=true)
|

### GitHub Vulnerability Alerts

#### [CVE-2026-0540](https://nvd.nist.gov/vuln/detail/CVE-2026-0540)

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9
and 3.3.2, contain a cross-site scripting vulnerability that allows
attackers to bypass attribute sanitization by exploiting five missing
rawtext elements (noscript, xmp, noembed, noframes, iframe) in the
`SAFE_FOR_XML` regex. Attackers can include payloads like
`</noscript><img src=x onerror=alert(1)>` in attribute values to execute
JavaScript when sanitized output is placed inside these unprotected
rawtext contexts.

---

### Release Notes

<details>
<summary>cure53/DOMPurify (dompurify)</summary>

###
[`v3.3.2`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.3.2):
DOMPurify 3.3.2

[Compare
Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.1...3.3.2)

- Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing,
thanks multiple reporters
- Fixed a prototype pollution issue when working with custom elements,
thanks [@&#8203;christos-eth](https://redirect.github.com/christos-eth)
- Fixed a lenient config parsing in `_isValidAttribute`, thanks
[@&#8203;christos-eth](https://redirect.github.com/christos-eth)
- Bumped and removed several dependencies, thanks
[@&#8203;Rotzbua](https://redirect.github.com/Rotzbua)
- Fixed the test suite after bumping dependencies, thanks
[@&#8203;Rotzbua](https://redirect.github.com/Rotzbua)

###
[`v3.3.1`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.3.1):
DOMPurify 3.3.1

[Compare
Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.0...3.3.1)

- Updated `ADD_FORBID_CONTENTS` setting to extend default list, thanks
[@&#8203;MariusRumpf](https://redirect.github.com/MariusRumpf)
- Updated the ESM import syntax to be more correct, thanks
[@&#8203;binhpv](https://redirect.github.com/binhpv)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTYuMCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

yarn.lock

@@ -21995,14 +21995,14 @@ __metadata:
   linkType: hard
 
 "dompurify@npm:^3.2.5, dompurify@npm:^3.3.0":
-  version: 3.3.0
-  resolution: "dompurify@npm:3.3.0"
+  version: 3.3.2
+  resolution: "dompurify@npm:3.3.2"
   dependencies:
     "@types/trusted-types": "npm:^2.0.7"
   dependenciesMeta:
     "@types/trusted-types":
       optional: true
-  checksum: 10/d8782b10a0454344476936c91038d06c9450b3e3ada2ceb8f722525e6b54e64d847939b9f35bf385facd4139f0a2eaf7f5553efce351f8e9295620570875f002
+  checksum: 10/3ca02559677ce6d9583a500f21ffbb6b9e88f1af99f69fa0d0d9442cddbac98810588c869f8b435addb5115492d6e49870024bca322169b941bafedb99c7f281
   languageName: node
   linkType: hard