[Snyk] Upgrade dompurify from 3.0.5 to 3.1.2

[X-oss-byte]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade dompurify from 3.0.5 to 3.1.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 9 versions ahead of your current version.

• The recommended version was released 22 days ago, on 2024-04-30.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Template Injection SNYK-JS-DOMPURIFY-6474511	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: dompurify

• 3.1.2 - 2024-04-30
  
  • Addressed and fixed a mXSS variation found by @ kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions
• 3.1.1 - 2024-04-26
  
  • Fixed an mXSS sanitiser bypass reported by @ icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

  Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

• 3.1.0 - 2024-04-07
  
  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated README to warn about happy-dom not being safe for use with DOMPurify yet
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies
• 3.0.11 - 2024-03-21
• 3.0.10 - 2024-03-19
• 3.0.9 - 2024-02-20
• 3.0.8 - 2024-01-05
• 3.0.7 - 2024-01-04
• 3.0.6 - 2023-09-28
• 3.0.5 - 2023-07-11

from dompurify GitHub release notes

Commit messages

Package name: dompurify

• 74664db chore: Updated package-lock.json with new release number
• 5f17b27 chore: Preparing 3.1.2 release
• 5d492ee test: Fixed the tests for older Chrome and Safari
• 8075b37 fix: Adjusted the list of permitted SVG HTML integration points
• 61b761f fix: Switched to using the getParentNode API for some calls
• ee17313 docs: Added new mentions of honor to the readme
• 7bbd12b chore: Preparing 3.1.1 release
• 87eff29 Merge branch 'main' of github.com:cure53/DOMPurify
• 809a902 fix: Set the MAX_NESTING_DEPTH to 255 for good measure and adjusted tests
• c0d418c Merge pull request Bugfix 941 mermaid-js/mermaid#942 from kyselberg/main
• 2a554b4 docs: additional info in example
• 6e240ec docs: correct hook name and remove misleading comment
• ef4bbb4 chore: Re-generated dist versions
• 1f494b9 Merge pull request graph LR makes TD mermaid-js/mermaid#941 from icesfont/fix/deep-nesting-mxss
• 813d065 fix: added __removalCount to account for nodes removed from parents when calculating depth
• 6dbc2bd fix: Fixed a faulty edit and changed the code acccordingly
• 65d35b8 fix: Added experimental __depth increment for copied elements
• 4299c0a fix: Added __depth tracking for ShadowDOM and template elements as well
• 81d963c fix: Slightly changed the execution order for __depth tracking
• ce799c3 fix: Added __depth field to sanitized DOM nodes for better tracking
• f051738 fix: Fixed an off-by-one with the nesting counter causing over-sanitization
• c725ce0 fix: Changed the behavior of the nesting counter ever so slightly
• c5369f2 fix: Addressed a possible bypass issue caused by deep-nesting
• 632f122 see Fix accidental paste and code style in readme mermaid-js/mermaid#939

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Note: This is a default PR template raised by Snyk. Find out more about how you can customise Snyk PRs in our documentation.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: e652487

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.