Bump dompurify from 3.4.7 to 3.4.11 by dependabot[bot] · Pull Request #16221 · guardian/dotcom-rendering

dependabot · 2026-06-19T10:42:21Z

Bumps dompurify from 3.4.7 to 3.4.11.

Release notes

DOMPurify 3.4.11

Fixed an issue with a leaky config for hooks via setConfig, thanks @trace37labs

Bumped vulnerable development dependencies to arrive at plain 0 with npm audit

Updated the osv-scanner suppression list as no vulnerable dependencies are left for now

Updated up the linting tool-chain and removed now-redundant lint directives

Updated the documentation is several spots, README, wiki, etc.

Bumped several dependencies where possible

DOMPurify 3.4.10

Refactored codebase for clarity: extracted the public type declarations into types.ts

Decomposed the three largest sanitizer functions into focused helpers

Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path

Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML

Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode

Reduced CI cost by running the full three-engine browser suite once per PR

Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo

Documented the bench and test:happydom scripts in the README

Completed the Attack Classes & Bypass History wiki page

Bumped several dependencies where possible

DOMPurify 3.4.9

Further improved the handling of Trusted Types config options, thanks @offset

Further improved the handling of IN_PLACE sanitization, thanks @mozfreddyb

Added more test coverage for IN_PLACE and Trusted Types related usage

Bumped several dependencies where possible

Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

Cleaned up the repository root, renamed some and removed unneeded files

Fixed an issue with handling of Trusted Types policies, thanks @fulstadev

Fixed the node iterator for better template scrubbing, thanks @IamLeandrooooo

Included formerly missing LICENSE-MPL in published npm package, thanks @asamuzaK

Bumped several dependencies where possible

Commits

0cae518 release: 3.4.11 (#1494)
6ee5716 release: 3.4.10 (#1478)
5210247 release: 3.4.9 (#1459)
bcdd828 release: 3.4.8 (#1439)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.4.7 to 3.4.11. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.4.7...3.4.11) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.4.11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-06-19T10:42:50Z

Hello 👋! When you're ready to run Chromatic, please apply the run_chromatic label to this PR.

You will need to reapply the label each time you want to run Chromatic.

Click here to see the Chromatic project.

github-actions · 2026-06-19T10:48:38Z