Skip to content

dep: set dompurify minimum to 3.4.11 in package.json#1324

Open
jacobjuul wants to merge 1 commit into
basecamp:mainfrom
jacobjuul:fix-dompurify-minimum-version
Open

dep: set dompurify minimum to 3.4.11 in package.json#1324
jacobjuul wants to merge 1 commit into
basecamp:mainfrom
jacobjuul:fix-dompurify-minimum-version

Conversation

@jacobjuul

Copy link
Copy Markdown

The previous release (v2.1.19) only updated dompurify in the lockfile, leaving package.json at ^3.2.5. Consumers resolving from the registry can still end up with a vulnerable version since npm/yarn/pnpm will resolve anything satisfying that range.

This bumps the declared minimum to ^3.4.11 so the registry-advertised constraint excludes vulnerable versions.

Note: Dependabot has an open branch (dependabot/npm_and_yarn/dompurify-3.4.11) with the same intent but it only updates the lockfile, not package.json.

Previously only the lockfile was updated, leaving package.json at ^3.2.5.
Consumers resolving from the registry would still get a vulnerable version.
Copilot AI review requested due to automatic review settings June 25, 2026 08:54

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR strengthens the security posture of the npm package by ensuring the published package.json dependency range for dompurify has a minimum of 3.4.11, preventing registry consumers from resolving older (potentially vulnerable) 3.x versions that still satisfied the prior ^3.2.5 range.

Changes:

  • Bump the declared dompurify dependency in package.json from ^3.2.5 to ^3.4.11.
  • Update yarn.lock to resolve dompurify to 3.4.11 under the new range.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Raises the registry-advertised minimum dompurify version to ^3.4.11.
yarn.lock Updates the locked dompurify resolution to 3.4.11 to match the new dependency range.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants