[Snyk] Upgrade dompurify from 3.0.5 to 3.2.3

[X-oss-byte]

Snyk has created this PR to upgrade dompurify from 3.0.5 to 3.2.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 18 versions ahead of your current version.

• The recommended version was released 24 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-DOMPURIFY-7984421	586	No Known Exploit
	Template Injection SNYK-JS-DOMPURIFY-6474511	586	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-8184974	586	Proof of Concept

Release notes

Package name: dompurify

• 3.2.3 - 2024-12-09
  
  • Fixed two conditional sanitizer bypasses discovered by @ parrot409 and @ Slonser
  • Updated the attribute clobbering checks to prevent future bypasses, thanks @ parrot409
• 3.2.2 - 2024-11-29
  
  • Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @ Yaniv-git
  • Fixed several minor issues with the type definitions, thanks again @ reduckted
  • Fixed a minor issue with the types reference for trusted types, thanks @ reduckted
  • Fixed a minor problem with the template detection regex on some systems, thanks @ svdb99
• 3.2.1 - 2024-11-20
  
  • Fixed several minor issues with the type definitions, thanks @ reduckted @ ghiscoding @ asamuzaK @ MiniDigger
  • Fixed an issue with non-minified dist files and order of imports, thanks @ reduckted
• 3.2.0 - 2024-11-11
  
  • Added type declarations, thanks @ reduckted , @ philmayfield, @ aloisklink, @ ssi02014 and others
  • Fixed a minor issue with the handling of hooks, thanks @ kevin-mizu
• 3.1.7 - 2024-09-26
  
  • Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @ masatokinugawa
  • Fixed several smaller typos in documentation and test & build files, thanks @ christianhg
  • Added better support for Angular compiler, thanks @ jeroen1602
  • Added several new attributes to HTML and SVG allow-list, thanks @ Gigabyte5671 and @ Rotzbua
  • Removed the foreignObject element from the list of HTML entry-points, thanks @ masatokinugawa
  • Bumped several dependencies to be more up to date
• 3.1.6 - 2024-07-05
  
  • Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @ kevin-mizu
  • Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @ realansgar
  • Fixed a minor problem with the bower file pointing to the wrong dist path
  • Fixed several minor typos in docs, comments and comment blocks, thanks @ Rotzbua
  • Updated several development dependencies
• 3.1.5 - 2024-05-31
  
  • Fixed a minor issue with the dist paths in bower.js, thanks @ HakumenNC
  • Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @ kakao-bishop-cho
• 3.1.4 - 2024-05-20
• 3.1.3 - 2024-05-11
• 3.1.2 - 2024-04-30
• 3.1.1 - 2024-04-26
• 3.1.0 - 2024-04-07
• 3.0.11 - 2024-03-21
• 3.0.10 - 2024-03-19
• 3.0.9 - 2024-02-20
• 3.0.8 - 2024-01-05
• 3.0.7 - 2024-01-04
• 3.0.6 - 2023-09-28
• 3.0.5 - 2023-07-11

from dompurify GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Summary by Sourcery

Upgrade dompurify from 3.0.5 to 3.2.3.

Bug Fixes:

• Fix prototype pollution, template injection, and cross-site scripting vulnerabilities.

Enhancements:

• Update attribute clobbering checks.
• Improve type definitions.
• Add better support for the Angular compiler.
• Add several new attributes to the HTML and SVG allow lists.
• Remove the foreignObject element from HTML entry points.
• Fix issues with comment detection.
• Fix issues with the execution logic of attribute hooks.
• Fix an issue with element removal leading to uncaught errors through DOM Clobbering.
• Fix a minor problem with the bower file pointing to the wrong dist path.
• Fix a minor issue with sanitizing HTML coming from copy&paste Word content.
• Fix a minor issue with the dist paths in bower.js.
• Fix a minor problem with the template detection regex on some systems.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: c86ebdf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request upgrades the dompurify package from version 3.0.5 to 3.2.3 in the packages/mermaid/package.json file. This upgrade fixes several security vulnerabilities, including prototype pollution, template injection, and cross-site scripting (XSS), and introduces several other improvements and bug fixes.

Sequence diagram showing DOMPurify sanitization process with security fixes

sequenceDiagram
    participant App
    participant DOMPurify
    participant DOM

    App->>DOMPurify: sanitize(untrustedHTML)
    Note over DOMPurify: New security checks:
    Note over DOMPurify: - Prototype pollution prevention
    Note over DOMPurify: - Template injection protection
    Note over DOMPurify: - XSS protection
    DOMPurify->>DOM: Create safe DOM
    DOM-->>DOMPurify: Return sanitized DOM
    DOMPurify-->>App: Return clean HTML

Loading

Class diagram showing DOMPurify package upgrade changes

classDiagram
    class DOMPurify {
        +version: 3.2.3
        +sanitize(dirty: string)
        +addHook()
        +removeHook()
        +clearConfig()
    }
    note for DOMPurify "Upgraded from 3.0.5 to 3.2.3
    - Fixed prototype pollution
    - Fixed template injection
    - Fixed XSS vulnerabilities
    - Added type declarations"

Loading

File-Level Changes

Change	Details	Files
Upgrade dompurify from 3.0.5 to 3.2.3	Updated the dompurify dependency version from 3.0.5 to 3.2.3 in the package.json file.	packages/mermaid/package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.