[Snyk] Upgrade dompurify from 2.4.5 to 2.5.2

[stanleyowen]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade dompurify from 2.4.5 to 2.5.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 7 versions ahead of your current version.

• The recommended version was released 22 days ago, on 2024-04-30.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	432/1000 Why? Proof of Concept exploit, CVSS 6.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ADOBECSSTOOLS-6096077	432/1000 Why? Proof of Concept exploit, CVSS 6.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	432/1000 Why? Proof of Concept exploit, CVSS 6.5	Proof of Concept
	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	432/1000 Why? Proof of Concept exploit, CVSS 6.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	432/1000 Why? Proof of Concept exploit, CVSS 6.5	Proof of Concept
	Improper Input Validation SNYK-JS-FOLLOWREDIRECTS-6141137	432/1000 Why? Proof of Concept exploit, CVSS 6.5	Proof of Concept
	Path Traversal SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555	432/1000 Why? Proof of Concept exploit, CVSS 6.5	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	432/1000 Why? Proof of Concept exploit, CVSS 6.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ADOBECSSTOOLS-5871286	432/1000 Why? Proof of Concept exploit, CVSS 6.5	No Known Exploit
	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	432/1000 Why? Proof of Concept exploit, CVSS 6.5	Proof of Concept
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	432/1000 Why? Proof of Concept exploit, CVSS 6.5	Proof of Concept
	Template Injection SNYK-JS-DOMPURIFY-6474511	432/1000 Why? Proof of Concept exploit, CVSS 6.5	Proof of Concept
	Improper Control of Dynamically-Managed Code Resources SNYK-JS-EJS-6689533	432/1000 Why? Proof of Concept exploit, CVSS 6.5	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	432/1000 Why? Proof of Concept exploit, CVSS 6.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	432/1000 Why? Proof of Concept exploit, CVSS 6.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: dompurify

• 2.5.2 - 2024-04-30
  
  • Addressed and fixed a mXSS variation found by @ kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions
• 2.5.1 - 2024-04-26
  
  • Fixed an mXSS sanitizer bypass reported by @ icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

  Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

• 2.5.0 - 2024-04-07
  
  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies
• 2.4.9 - 2024-03-21
• 2.4.8 - 2024-03-19
• 2.4.7 - 2023-07-11
• 2.4.6 - 2023-07-10
• 2.4.5 - 2023-03-01

from dompurify GitHub release notes

Commit messages

Package name: dompurify

• d299fcc chore: Preparing 2.5.2 release
• fc9f702 chore: Migrated relevant changes from main over to 2.x
• f275c0b chore: Preparing 2.5.1 release
• 381bc61 test: Fixed the tests for new MAX_NESTING_DEPTH limit
• 8589191 fix: Started to set new MAX_NESTING_DEPTH limits as well
• 2076d1b test: Fixed a linter issue breaking the tests
• 0ef5e53 chore: Updated 2.x branch with relevant fixes for nesting-based mXSS
• 7f6cf8a chore: Updated some packages
• 6f9902d docs: Updated year in LICENSE file for 2.x as well
• 2dcadf0 chore: Preparing 2.5.0 release
• 28381af feature: Added SAFE_FOR_XML flag and code to 2.x branch
• 79cfb37 chore: Preparing 2.4.9 release
• 0940755 fix: Merged relevant changes from main for 2.4.9
• 416ba67 chore: Preparing 2.4.8 release
• 4035e3a chore: Preparing 2.4.8. release
• f0e75b0 fix: cherry-picked fixes for XML & CE bypass
• ef731c0 chore: Preparing 2.4.7. release
• 5b7dff9 chore: Preparing 2.4.6 release
• a01c083 Fix: addressed a bypass on jsdom 22 when noframes tag is allowed

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Note: This is a default PR template raised by Snyk. Find out more about how you can customise Snyk PRs in our documentation.

[netlify]

✅ Deploy Preview for otlio ready!

Name	Link
🔨 Latest commit	0b197e7
🔍 Latest deploy log	https://app.netlify.com/sites/otlio/deploys/664dbfb502840900088a9f84
😎 Deploy Preview	https://deploy-preview-441--otlio.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 66 (🔴 down 1 from production) Accessibility: 97 (🟢 up 3 from production) Best Practices: 92 (🟢 up 9 from production) SEO: 97 (no change from production) PWA: 70 (no change from production) View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify site configuration.