From 652f61da50ce7caa8e89db1dac3cbe70eeb750b2 Mon Sep 17 00:00:00 2001 From: kolaente Date: Tue, 16 Jun 2026 08:30:00 +0200 Subject: [PATCH] fix(deps): bump dompurify to 3.4.9 to fix XSS advisories dompurify 3.4.0 was affected by several stacked advisories (mXSS / sanitizer bypasses). 3.4.9 is past all vulnerable ranges. Resolves Dependabot alerts #248-#254 (package.json) and #259-#265 (lockfile). --- frontend/package.json | 2 +- frontend/pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/frontend/package.json b/frontend/package.json index dfc9386cd..2add08f14 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -82,7 +82,7 @@ "bulma-css-variables": "0.9.33", "change-case": "5.4.4", "dayjs": "1.11.19", - "dompurify": "3.4.0", + "dompurify": "3.4.9", "fast-deep-equal": "3.1.3", "flatpickr": "4.6.13", "floating-vue": "5.2.2", diff --git a/frontend/pnpm-lock.yaml b/frontend/pnpm-lock.yaml index 3c17e6cd5..09db0f9f9 100644 --- a/frontend/pnpm-lock.yaml +++ b/frontend/pnpm-lock.yaml @@ -113,8 +113,8 @@ importers: specifier: 1.11.19 version: 1.11.19 dompurify: - specifier: 3.4.0 - version: 3.4.0 + specifier: 3.4.9 + version: 3.4.9 fast-deep-equal: specifier: 3.1.3 version: 3.1.3 @@ -3569,8 +3569,8 @@ packages: resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==} engines: {node: '>= 4'} - dompurify@3.4.0: - resolution: {integrity: sha512-nolgK9JcaUXMSmW+j1yaSvaEaoXYHwWyGJlkoCTghc97KgGDDSnpoU/PlEnw63Ah+TGKFOyY+X5LnxaWbCSfXg==} + dompurify@3.4.9: + resolution: {integrity: sha512-4dPSRMRDqHvs0V4YDFCsaIZo4if5u0xM+llyxiM2fwuZFdKArUBAF3VtI2+n8NKg9P870WMdYk0UhqQNoWXbfQ==} domutils@3.2.2: resolution: {integrity: sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==} @@ -10334,7 +10334,7 @@ snapshots: dependencies: domelementtype: 2.3.0 - dompurify@3.4.0: + dompurify@3.4.9: optionalDependencies: '@types/trusted-types': 2.0.7