build(deps): bump dompurify from 3.3.3 to 3.4.0 by dependabot[bot] · Pull Request #3977 · pierreb-devkit/Vue

dependabot · 2026-04-15T04:04:02Z

Bumps dompurify from 3.3.3 to 3.4.0.

Release notes

DOMPurify 3.4.0

Most relevant changes:

Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @kodareef5

Fixed several minor problems and typos regarding MathML attributes, thanks @DavidOliver

Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @1Jesper1

Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @bencalif

Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @trace37labs

Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @eddieran

Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @christos-eth

Fixed an issue with USE_PROFILES prototype pollution, thanks @christos-eth

Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @researchatfluidattacks and others

Fixed an issue with closing tags leading to possible mXSS, thanks @frevadiscor

Fixed a problem with the type dentition patcher after Node version bump

Fixed freezing BS runs by reducing the tested browsers array

Bumped several dependencies where possible

Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

Commits

5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.3.3 to 3.4.0. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.3...3.4.0) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 15, 2026

github-actions bot approved these changes Apr 15, 2026

View reviewed changes

github-actions bot merged commit 1814798 into master Apr 15, 2026
3 checks passed

dependabot bot deleted the dependabot/npm_and_yarn/dompurify-3.4.0 branch April 15, 2026 04:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump dompurify from 3.3.3 to 3.4.0#3977

build(deps): bump dompurify from 3.3.3 to 3.4.0#3977
github-actions[bot] merged 1 commit intomasterfrom
dependabot/npm_and_yarn/dompurify-3.4.0

dependabot bot commented on behalf of github Apr 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Apr 15, 2026

DOMPurify 3.4.0

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants