From 09fa1a8e4e803cc4baa472bf74afd078391555e8 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 6 Mar 2026 19:04:08 +0800
Subject: [PATCH] chore: bump up dompurify version to v3.3.2 [SECURITY]
(#14581)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [dompurify](https://redirect.github.com/cure53/DOMPurify) | [`3.3.0` →
`3.3.2`](https://renovatebot.com/diffs/npm/dompurify/3.3.0/3.3.2) |
|
|
### GitHub Vulnerability Alerts
#### [CVE-2026-0540](https://nvd.nist.gov/vuln/detail/CVE-2026-0540)
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9
and 3.3.2, contain a cross-site scripting vulnerability that allows
attackers to bypass attribute sanitization by exploiting five missing
rawtext elements (noscript, xmp, noembed, noframes, iframe) in the
`SAFE_FOR_XML` regex. Attackers can include payloads like
`
` in attribute values to execute
JavaScript when sanitized output is placed inside these unprotected
rawtext contexts.
---
### Release Notes
cure53/DOMPurify (dompurify)
###
[`v3.3.2`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.3.2):
DOMPurify 3.3.2
[Compare
Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.1...3.3.2)
- Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing,
thanks multiple reporters
- Fixed a prototype pollution issue when working with custom elements,
thanks [@christos-eth](https://redirect.github.com/christos-eth)
- Fixed a lenient config parsing in `_isValidAttribute`, thanks
[@christos-eth](https://redirect.github.com/christos-eth)
- Bumped and removed several dependencies, thanks
[@Rotzbua](https://redirect.github.com/Rotzbua)
- Fixed the test suite after bumping dependencies, thanks
[@Rotzbua](https://redirect.github.com/Rotzbua)
###
[`v3.3.1`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.3.1):
DOMPurify 3.3.1
[Compare
Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.0...3.3.1)
- Updated `ADD_FORBID_CONTENTS` setting to extend default list, thanks
[@MariusRumpf](https://redirect.github.com/MariusRumpf)
- Updated the ESM import syntax to be more correct, thanks
[@binhpv](https://redirect.github.com/binhpv)
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
yarn.lock | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/yarn.lock b/yarn.lock
index dbe737851e..aabc87a66b 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -21995,14 +21995,14 @@ __metadata:
linkType: hard
"dompurify@npm:^3.2.5, dompurify@npm:^3.3.0":
- version: 3.3.0
- resolution: "dompurify@npm:3.3.0"
+ version: 3.3.2
+ resolution: "dompurify@npm:3.3.2"
dependencies:
"@types/trusted-types": "npm:^2.0.7"
dependenciesMeta:
"@types/trusted-types":
optional: true
- checksum: 10/d8782b10a0454344476936c91038d06c9450b3e3ada2ceb8f722525e6b54e64d847939b9f35bf385facd4139f0a2eaf7f5553efce351f8e9295620570875f002
+ checksum: 10/3ca02559677ce6d9583a500f21ffbb6b9e88f1af99f69fa0d0d9442cddbac98810588c869f8b435addb5115492d6e49870024bca322169b941bafedb99c7f281
languageName: node
linkType: hard