Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): bump dompurify from 3.2.3 to v3.2.4 (stable4.1) - abandoned #10704

Open
wants to merge 1 commit into
base: stable4.1
Choose a base branch
from
Open

fix(deps): bump dompurify from 3.2.3 to v3.2.4 (stable4.1) - abandoned #10704

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 17, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
dompurify 3.2.3 -> 3.2.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-26791

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

DOMPurify allows Cross-site Scripting (XSS)

CVE-2025-26791 / GHSA-vhxf-7vqr-mrjg

More information

Details

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

Severity

  • CVSS Score: 4.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

cure53/DOMPurify (dompurify)

v3.2.4: DOMPurify 3.2.4

Compare Source

  • Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
  • Added a new feature to allow specific hook removal, thanks @​davecardwell
  • Added purify.js and purify.min.js to exports, thanks @​Aetherinox
  • Added better logic in case no window object is president, thanks @​yehuya
  • Updated some dependencies called out by dependabot
  • Updated license files etc to show the correct year

Configuration

📅 Schedule: Branch creation - "before 7am every weekday" in timezone Europe/Vienna, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
fix(deps): bump dompurify from 3.2.3 to v3.2.4
92cfb9d 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot changed the title fix(deps): bump dompurify from 3.2.3 to v3.2.4 (stable4.1) fix(deps): bump dompurify from 3.2.3 to v3.2.4 (stable4.1) - abandoned Feb 19, 2025
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Feb 19, 2025

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst ChristophWurst is a code owner

@GretaD GretaD Awaiting requested review from GretaD GretaD is a code owner

@kesselb kesselb Awaiting requested review from kesselb kesselb is a code owner

Assignees
No one assigned
Labels
4. to release dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants