chore(deps): bump dompurify from 3.0.6 to 3.1.3 #2602

dependabot · 2024-10-15T11:56:53Z

Bumps dompurify from 3.0.6 to 3.1.3.

Release notes

DOMPurify 3.1.3

Fixed several mXSS variations found by and thanks to @kevin-mizu & @Ry0taK

Added better configurability for comment scrubbing default behavior

Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu

Added better handling and readability of the nodeType property, thanks @ssi02014

Fixed some smaller issues in README and other documentation

DOMPurify 3.1.2

Addressed and fixed a mXSS variation found by @kevin-mizu

Addressed and fixed a mXSS variation found by Adam Kues of Assetnote

Updated tests for older Safari and Chrome versions

DOMPurify 3.1.1

Fixed an mXSS sanitiser bypass reported by @icesfont

Added new code to track element nesting depth

Added new code to enforce a maximum nesting depth of 255

Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

DOMPurify 3.1.0

Added new setting SAFE_FOR_XML to enable better control over comment scrubbing

Updated README to warn about happy-dom not being safe for use with DOMPurify yet

Updated the LICENSE file to show the accurate year number

Updated several build and test dependencies

DOMPurify 3.0.11

Fixed another conditional bypass caused by Processing Instructions, thanks @Ry0taK

Fixed the regex for HTML Custom Element detection, thanks @AlekseySolovey3T

DOMPurify 3.0.10

Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @Slonser

Bumped up some build and test dependencies

DOMPurify 3.0.9

Fixed a problem with proper detection of Custom Elements, thanks @kevin-mizu

Refactored the hasOwnProperty logic, thanks @ssi02014

Removed a superfluous console.warn making HappyDom happier, thanks @HugoPoi

Modernized some of the demo hooks for better looks, thanks @Steb95

DOMPurify 3.0.8

Fixed errors caused by conditional exports, thanks @ssi02014

Fixed a type error when working with custom element config, thanks @cpmotion

DOMPurify 3.0.7

Added better protection against CSPP attacks, thanks @kevin-mizu

Updated browser versions for automated tests

Updated Node versions for automated tests

Refactored code base, thanks @ssi02014

Refactored build system & deployment, thanks @ssi02014

Commits

3fe78d7 chore: Preparing 3.1.3 release
b20ce99 fix: Added smaller-than-null check for __depth hardening code
1e52026 fix: Hardened the depth tracking code against prototype pollution
8df72f1 fix: Made the regex for comment scrubbing a bit stricter
ae517d6 fix: Expanded the comment scrubbing regex matching a bit further
b6818ce fix: Added better configurability for new comment behavior
aafd7a8 docs: Changed inline comments slightly to be more accurate
a377bf8 test: Fixed the tests
d1d5d22 fix: Added experiemental comment scrubbing inside attributes
dc61232 fix #949
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.0.6 to 3.1.3. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.0.6...3.1.3) --- updated-dependencies: - dependency-name: dompurify dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

* sync: Synced local 'docs/' with remote 'docs/redoc/' * chore: remove broken link from demo (Redocly#2338) * fix: renames 'FieldContstraints' to 'FieldConstraints' (Redocly#2352) Co-authored-by: Ricagraca <ricardo.graca@freiheit.com> * fix: schema oneOf title with const (Redocly#2350) * docs: adds vale rules and workflow for running in CI (Redocly#2348) * docs: adds vale rules and workflow for running in CI * docs: updates product name from ReDoc to Redoc * chore: update packages dependecy (Redocly#2360) * chore: update packages dependecy * fix: remove redundant options * fix: webpack config demo folder * fix: replace cypress ts-loader * chore: remove redundant dependency * chore(deps-dev): bump word-wrap from 1.2.3 to 1.2.4 (Redocly#2359) Bumps [word-wrap](https://github.com/jonschlinkert/word-wrap) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/jonschlinkert/word-wrap/releases) - [Commits](jonschlinkert/word-wrap@1.2.3...1.2.4) --- updated-dependencies: - dependency-name: word-wrap dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: enable keyboard navigation (Redocly#2361) * docs: fix and update links in redoc-vendor-extensions (Redocly#2368) Co-authored-by: Lorna Jane Mitchell <github@lornajane.net> * feat: add x-tags (Redocly#2355) * feat: add x-tags * chore: fix e2e tests and add new for x-tag * chore: add x-tags to demo definition * chore: update snapshots * feat: add support of react 18 (Redocly#2369) * feat: add support of react 18 * chore: add newest version of styled-components to peerDependencies * chore: add supoort of styled components * chore: downgrade types * chore: update snapshots * chore: update cypress to 12.17.1 * chore: upgrade openapi-core to 1.0.0-rc.2 * chore: upgrade packages for fixing vulnerabilities * docs: Remove Redoc CLI and a non-existent config option * chore: v2.1.0 (Redocly#2382) * fix: hotfix, crash after 2.1 release * chore: v2.1.1 * chore: add tests for cover field default crash (Redocly#2389) * fix: react18 cli integration (Redocly#2404) * fix: react18 cli integration * fix: update unit tests snapshots * chore(deps): bump @cypress/request and cypress (Redocly#2410) Bumps [@cypress/request](https://github.com/cypress-io/request) to 3.0.1 and updates ancestor dependency [cypress](https://github.com/cypress-io/cypress). These dependencies need to be updated together. Updates `@cypress/request` from 2.88.11 to 3.0.1 - [Release notes](https://github.com/cypress-io/request/releases) - [Changelog](https://github.com/cypress-io/request/blob/master/CHANGELOG.md) - [Commits](cypress-io/request@v2.88.11...v3.0.1) Updates `cypress` from 12.17.1 to 13.1.0 - [Release notes](https://github.com/cypress-io/cypress/releases) - [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md) - [Commits](cypress-io/cypress@v12.17.1...v13.1.0) --- updated-dependencies: - dependency-name: "@cypress/request" dependency-type: indirect - dependency-name: cypress dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: style RefreshToken URL as <code> in the authorization section Co-authored-by: szaszeke <Szabolcs.Szekely@t-systems.com> * chore: v2.1.2 (Redocly#2413) * fix: more cases for react18 and cli integration (Redocly#2416) * Config docs and README refresh (Redocly#2393) * docs: Give Redoc a landing page with overview and tldr instructions * docs: move config to dedicated page * docs: modernise README, link to resources * docs: more detailed format for theme configurations * fix: README formatting * fix: Fix future tense errors and add exceptions for config fields as headings * Apply suggestions from code review Co-authored-by: Heather Cloward <heathercloward@gmail.com> * docs: minor updates from excellent pull request feedback * docs: Remove the old quickstart, update HTML as the preferred onboarding method and improve docs/examples on that page * Apply suggestions from code review Co-authored-by: Heather Cloward <heathercloward@gmail.com> --------- Co-authored-by: Heather Cloward <heathercloward@gmail.com> * sync: Synced local 'docs/' with remote 'docs/redoc/' * sync: Synced local 'docs/' with remote 'docs/redoc/' * sync: Synced local 'docs/' with remote 'docs/redoc/' * sync: Synced local 'docs/' with remote 'docs/redoc/' * sync: Synced local 'docs/' with remote 'docs/redoc/' * chore(deps-dev): bump postcss from 8.4.27 to 8.4.31 (Redocly#2427) Bumps [postcss](https://github.com/postcss/postcss) from 8.4.27 to 8.4.31. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.4.27...8.4.31) --- updated-dependencies: - dependency-name: postcss dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * sync: Synced local 'docs/' with remote 'docs/redoc/' * fix: default value as object in request body (Redocly#2437) * fix: hideRequestPayloadSample (Redocly#2436) * fix: display string pattern in array items (Redocly#2438) * chore: v2.1.3 (Redocly#2439) * sync: Synced local 'docs/' with remote 'docs/redoc/' * docs: fix admonition on config page (Redocly#2452) * Update README.md (Redocly#2422) Fix link to deployment options * docs: Remove references to interactive docs in the open source project (Redocly#2460) * docs: Remove references to interactive docs in the open source project * Update README.md Co-authored-by: Adam Altman <adam@redoc.ly> --------- Co-authored-by: Adam Altman <adam@redoc.ly> * Add Quaderno API to README's Showcase section (Redocly#2468) * chore: Update directory structure for Vale v3 (Redocly#2477) * chore: Update directory structure for Vale v3 * chore: update Vale folder name * docs: Add docs tooling to align with publishing to main site (Redocly#2484) * docs: add markdownlint and some link checks alongside vale * docs: add link checker config and fix/update some links reported broken * docs: update markdownlint action * docs: fix markdown table formatting * docs: Unpin Vale version and pick up the latest * docs: Fix a link that couldn't be checked as it reaches outside the Redoc project (Redocly#2490) * docs: Update API examples list to include Museum API (Redocly#2506) * feat: Update API examples list to include Museum API * updates museum.yaml with logo and replaces petstore with museum api in playground for local dev and some minor edits to redoc name * docs: update definition --------- Co-authored-by: Heather Cloward <heathercloward@gmail.com> Co-authored-by: Alex Varchuk <olexandr.varchuk@gmail.com> * chore: fix vulnerabilities and upgrade deps (Redocly#2445) * chore: fix vulnerabilities and upgrade deps * chore: use old version of cypress * fix: additional vulnerabilities * chore: add check-version to publish script (Redocly#2446) * fix: publish script (Redocly#2524) * chore: upgrade openapi-sampler (Redocly#2525) * chore: upgrade cypress to fix e2e tests and update-browserslist-db (Redocly#2529) * fix: use h2/h3 for headings instead of h1/h2 for better seo (Redocly#2514) * fix: use h2/h3 for headings instead of h1/h2 for better seo * fix: fixed e2e tests for changed headings --------- Co-authored-by: Max Krumpe <max.krumpe@uniserv.com> * fix: add deprecated css to clickable property name (Redocly#2526) Co-authored-by: Kerem Nalbant <k.nalbant@epilot.cloud> * chore: v2.1.4 (Redocly#2530) * chore: fix docker publish action (Redocly#2531) * docs: Remove outdated sync job for docs folder (Redocly#2465) * chore: move jest-environment-jsdom to dev dependencies (Redocly#2543) * fix: update react to 18 and react-tabs to 6 (Redocly#2547) * chore: v2.1.5 (Redocly#2550) * chore: upgrade vulnerable dev dependencies * chore: remove heavy bundlesize dev dependency * docs: update broken link of Openapi Object (Redocly#2577) * fix: show siblings schema with oneOf (Redocly#2576) * docs: fix http-server example from in-page feedback (Redocly#2580) * chore: upgrade node version for docker (Redocly#2589) * docs: Remove the old zero-dependency claim for Redoc docs (Redocly#2590) * chore: Remove the sync job, we don't use it any more (Redocly#2591) * chore(deps): bump body-parser and express (Redocly#2603) Bumps [body-parser](https://github.com/expressjs/body-parser) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together. Updates `body-parser` from 1.20.2 to 1.20.3 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@1.20.2...1.20.3) Updates `express` from 4.19.2 to 4.21.1 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.1/History.md) - [Commits](expressjs/express@4.19.2...4.21.1) --- updated-dependencies: - dependency-name: body-parser dependency-type: indirect - dependency-name: express dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump dompurify from 3.0.6 to 3.1.3 (Redocly#2602) Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.0.6 to 3.1.3. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.0.6...3.1.3) --- updated-dependencies: - dependency-name: dompurify dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: add support x-badges (Redocly#2605) * feat: add support x-badges Co-authored-by: Max Mueller <maxmueller@eaton.com> * chore: try to fix e2e tests * chore: try to fix e2e tests part 2 * Update docs/redoc-vendor-extensions.md --------- Co-authored-by: Max Mueller <maxmueller@eaton.com> Co-authored-by: Jacek Łękawa <164185257+JLekawa@users.noreply.github.com> * chore: v2.2.0 (Redocly#2606) * fix: docker build (Redocly#2607) * docs(all): change admonition type to 'info' (Redocly#2608) * chore: updated webpack version to 5.94.0 (Redocly#2583) * feat: update pattern styling (Redocly#2196) (Redocly#2600) Closes Redocly#2196 * chore: npm audit for previnting feature vulnerabilities (Redocly#2612) * formatting * readme formatting * operations * types * utils * badges in spec * update package lock * snapshots * wf updates * spec * snapshot * search tests * fix e2e tests * update styled-components * dont update --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: redocly-bot <null> Co-authored-by: Alex Varchuk <olexandr.varchuk@gmail.com> Co-authored-by: Ricardo Graça <33238205+Ricagraca@users.noreply.github.com> Co-authored-by: Ricagraca <ricardo.graca@freiheit.com> Co-authored-by: Heather Cloward <heathercloward@gmail.com> Co-authored-by: Oprysk Viacheslav <vyacheslav@redocly.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Roman Pidkostelnyi <63608794+RomanPidkostelnyi@users.noreply.github.com> Co-authored-by: Adam Altman <adam@redoc.ly> Co-authored-by: Lorna Jane Mitchell <github@lornajane.net> Co-authored-by: Lorna Mitchell <lorna.mitchell@redocly.com> Co-authored-by: Roman Hotsiy <gotsijroman@gmail.com> Co-authored-by: ckszabi <ckszabi@gmail.com> Co-authored-by: szaszeke <Szabolcs.Szekely@t-systems.com> Co-authored-by: Andrew Tatomyr <andrew.tatomyr@redocly.com> Co-authored-by: Alexei Maridashvili <alexei.maridashvili@gmail.com> Co-authored-by: Javi Rubio <javier.rubio.rubio@gmail.com> Co-authored-by: Max Krumpe <42165374+maxkrumpe@users.noreply.github.com> Co-authored-by: Max Krumpe <max.krumpe@uniserv.com> Co-authored-by: Kerem Nalbant <43813768+keremnalbant@users.noreply.github.com> Co-authored-by: Kerem Nalbant <k.nalbant@epilot.cloud> Co-authored-by: Max Mueller <maxmueller@eaton.com> Co-authored-by: Jacek Łękawa <164185257+JLekawa@users.noreply.github.com> Co-authored-by: Taylor Krusen <taylor.krusen@redocly.com> Co-authored-by: Dxuian <92696836+Dxuian@users.noreply.github.com> Co-authored-by: Michael Huynh <43751307+miqh@users.noreply.github.com>

dependabot bot requested a review from a team as a code owner October 15, 2024 11:56

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Oct 15, 2024

AlexVarchuk approved these changes Oct 15, 2024

View reviewed changes

ohorbachevskyi force-pushed the dependabot/npm_and_yarn/dompurify-3.1.3 branch from d99101b to b05f58f Compare October 15, 2024 15:16

ohorbachevskyi merged commit 1cceed4 into main Oct 15, 2024
6 checks passed

ohorbachevskyi deleted the dependabot/npm_and_yarn/dompurify-3.1.3 branch October 15, 2024 15:24

AlexVarchuk mentioned this pull request Oct 16, 2024

Upgrade DOMPurify to latest (2.5.4) #2595

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump dompurify from 3.0.6 to 3.1.3 #2602

chore(deps): bump dompurify from 3.0.6 to 3.1.3 #2602

dependabot bot commented on behalf of github Oct 15, 2024

chore(deps): bump dompurify from 3.0.6 to 3.1.3 #2602

chore(deps): bump dompurify from 3.0.6 to 3.1.3 #2602

Conversation

dependabot bot commented on behalf of github Oct 15, 2024

DOMPurify 3.1.3

DOMPurify 3.1.2

DOMPurify 3.1.1

DOMPurify 3.1.0

DOMPurify 3.0.11

DOMPurify 3.0.10

DOMPurify 3.0.9

DOMPurify 3.0.8

DOMPurify 3.0.7