Update dependency dompurify to v2.5.9

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
dompurify	2.3.1 → 2.5.9

---

Release Notes

cure53/DOMPurify (dompurify)

v2.5.9: DOMPurify 2.5.9

Compare Source

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing

v2.5.8: DOMPurify 2.5.8

Compare Source

• Fixed two conditional sanitizer bypasses discovered by @​parrot409 and @​Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @​parrot409

v2.5.7: DOMPurify 2.5.7

Compare Source

• Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
• Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa

v2.5.6: DOMPurify 2.5.6

Compare Source

• Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
• Fixed a minor problem with the bower file pointing to the wrong dist path
• Updated several development dependencies

v2.5.5: DOMPurify 2.5.5

Compare Source

• Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
• Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

v2.5.4: DOMPurify 2.5.4

Compare Source

• Fixed a bug with latest isNaN checks affecting MSIE, thanks @​tulach
• Fixed the tests for MSIE and fixed related test-runner

v2.5.3: DOMPurify 2.5.3

Compare Source

• Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
• Added better configurability for comment scrubbing default behavior
• Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
• Fixed some smaller issues in README and other documentation

v2.5.2: DOMPurify 2.5.2

Compare Source

• Addressed and fixed a mXSS variation found by @​kevin-mizu
• Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
• Updated tests for older Safari and Chrome versions

v2.5.1: DOMPurify 2.5.1

Compare Source

• Fixed an mXSS sanitizer bypass reported by @​icesfont
• Added new code to track element nesting depth
• Added new code to enforce a maximum nesting depth of 255
• Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

v2.5.0: DOMPurify 2.5.0

Compare Source

• Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
• Updated the LICENSE file to show the accurate year number
• Updated several build and test dependencies

v2.4.9: DOMPurify 2.4.9

Compare Source

• Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
• Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

v2.4.8: DOMPurify 2.4.8

Compare Source

• Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser

v2.4.7: DOMPurify 2.4.7

Compare Source

• Fixed a licensing issue spotted and reported by @​george-thomas-hill

v2.4.6: DOMPurify 2.4.6

Compare Source

• Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN

v2.4.5: DOMPurify 2.4.5

Compare Source

• Fixed a problem with improper reset of custom HTML options, thanks @​ammaraskar

v2.4.4: DOMPurify 2.4.4

Compare Source

• Added support for ALLOW_SELF_CLOSE_IN_ATTR flag, thanks @​edg2s @​AndreVirtimo
• Added better support for shadowrootmode, thanks @​mfreed7

v2.4.3: DOMPurify 2.4.3

Compare Source

• Final release that is compatible with MSIE10 & MSIE 11

v2.4.2: DOMPurify 2.4.2

Compare Source

• Fixed a Trusted Types sink violation with empty input and NAMESPACE , thanks @​tosmolka
• Fixed a Prototype Pollution issue discovered and reported by @​kevin-mizu

v2.4.1: DOMPurify 2.4.1

Compare Source

• Added new config option ALLOWED_NAMESPACES for better XML handling, thanks @​kevin-deyoungster @​tosmolka
• Added better detection of template literals when SAFE_FOR_TEMPLATES is true
• Fixed an exception caused by DOM clobbering, thanks @​masatokinugawa
• Bumped some dependencies, thanks @​marcpenya-tf

v2.4.0: DOMPurify 2.4.0

Compare Source

• Removed bundled types again as they caused too much trouble

v2.3.12: DOMPurify 2.3.12

Compare Source

• Fixed an issue in 2.3.11 causing errors w. TypeScript, see #​712, thanks @​Mirco469, @​brentkeller, @​aryanisml

v2.3.11: DOMPurify 2.3.11

Compare Source

• Added generated type definitions for better compatibility
• Added SANITIZE_NAMED_PROPS config option, thanks @​SoheilKhodayari
• Updated README and config documentation, thanks @​0xedward
• Updated test suite with newer Node versions

v2.3.10: DOMPurify 2.3.10

Compare Source

• Added support for sanitization of attributes requiring Trusted Types, thanks @​tosmolka

v2.3.9: DOMPurify 2.3.9

Compare Source

• Made TAG and ATTR config options case-sensitive when parsing XHTML, thanks @​tosmolka
• Bumped some dependencies, thanks @​is2ei
• Included github-actions in the dependabot config, thanks @​nathannaveen

v2.3.8: DOMPurify 2.3.8

Compare Source

• Cleaned up a minor issue with the 2.3.7 release, thanks @​johnbirds

No other changes compared to 2.3.7 release, which entail:

• Fixes around a bug in Safari, thanks @​sybrew
• Slightly improved performance, thanks @​tiny-ben-tran
• Lots of chores, bumps and typo fixes, thanks @​is2ei
• Removed unnecessary string trimming, thanks @​christopherehlen

v2.3.7

Compare Source

v2.3.6: DOMPurify 2.3.6

Compare Source

• Added an option to allow HTML5 doctypes, thanks @​tosmolka
• Bumped several dependencies, thanks @​is2ei
• Updated documentation to cover recently added flags, thanks @​is2ei

v2.3.5: DOMPurify 2.3.5

Compare Source

• Performed several chores and cleanups, thanks @​is2ei
• Fixed a bug when working with Trusted Types, thanks @​tosmolka
• Fixed a bug with weird behavior on insecure nodes in IN_PLACE mode, thanks @​tosmolka
• Added more SVG attributes to allow-list, thanks @​rzhade3

v2.3.4: DOMPurify 2.3.4

Compare Source

• Added support for Custom Elements, thanks @​franktopel
• Added new config settings to control Custom Element sanitizing, thanks @​franktopel
• Added faster clobber checks, thanks @​GrantGryczan
• Allow-listed SVG feImage elements, thanks @​ydaniv
• Updated test suite
• Update supported Node versions
• Updated README

v2.3.3: DOMPurify 2.3.3

Compare Source

• Fixed a bug in the handing of PARSER_MEDIA_TYPE spotted by @​securitum-mb
• Adjusted the tests for MSIE to make sure the results are as expected now

v2.3.2: DOMPurify 2.3.2

Compare Source

• Added new config option PARSER_MEDIA_TYPE, thanks @​tosmolka

v2.3.1: DOMPurify 2.3.1

Compare Source

• Added code to make FORBID_CONTENTS setting configurable
• Added role to URI-safe attributes
• Added more paranoid handling for template elements

v2.3.0: DOMPurify 2.3.0

Compare Source

• Added better handling of document creation on Firefox
• Added better handling of version numbers in license file
• Added two new browser versions to test suite config
• Fixed a bug with handling of custom data attributes

v2.2.9: DOMPurify 2.2.9

Compare Source

• Fixed some minor issues related to the NAMESPACE config
• Fixed some minor issues relating to empty input
• Fixed some minor issues relating to handling of invalid XML

v2.2.8: DOMPurify 2.2.8

Compare Source

• Added NAMESPACE config option, thanks @​NateScarlet
• Added better fallback for older browsers & PhantomJS, thanks @​albanx
• Extended allow-list for SVG attributes a bit

v2.2.7: DOMPurify 2.2.7

Compare Source

• Fixed handling of unsupported browsers, i.e. Safari 9 and older
• Fixed various minor bugs and typos in README and examples
• Added better handling of potentially harmful "is" attributes
• Added better handling of lookupGetter functionality

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: search-parts/package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: pnp-modern-search@3.14.2
npm ERR! Found: @types/react@17.0.18
npm ERR! node_modules/@types/react
npm ERR!   dev @types/react@"17.0.18" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer @types/react@">=16.8.0 <17.0.0" from @uifabric/file-type-icons@7.6.30
npm ERR! node_modules/@uifabric/file-type-icons
npm ERR!   @uifabric/file-type-icons@"7.6.30" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-04-30T11_53_37_384Z-debug-0.log

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (nodejs)	12	39	33	5	❌
Secrets Audit	0	1	0	0	❌
Security Audit for Infrastructure	0	0	0	0	✅

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (nodejs)	15	41	33	5	❌
Secrets Audit	0	1	0	0	❌
Security Audit for Infrastructure	0	0	0	0	✅

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	13	30	26	1	❌
Secrets Audit	0	1	0	0	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	13	30	29	1	❌
Secrets Audit	0	1	0	0	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	15	32	28	1	❌
Secrets Audit	0	1	0	0	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	15	33	28	1	❌
Secrets Audit	0	1	0	0	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: search-parts/package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: pnp-modern-search@3.14.2
npm ERR! Found: @types/react@17.0.18
npm ERR! node_modules/@types/react
npm ERR!   dev @types/react@"17.0.18" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer @types/react@">=16.8.0 <17.0.0" from @uifabric/file-type-icons@7.6.30
npm ERR! node_modules/@uifabric/file-type-icons
npm ERR!   @uifabric/file-type-icons@"7.6.30" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-04-29T14_07_16_293Z-debug-0.log

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	15	33	30	1	❌
Secrets Audit	0	1	0	0	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	1	0	0	0	❌
Secrets Audit	0	1	0	0	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	1	0	1	1	❌
Secrets Audit	0	1	0	0	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍