[Snyk] Security upgrade dompurify from 3.3.0 to 3.3.2#256
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-DOMPURIFY-15371376
|
This is a patch upgrade that includes security fixes and bug corrections. Highlights:
Potential Impact: Recommendation: Source: GitHub Releases
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Pull request overview
Upgrades the dompurify dependency to address a reported XSS vulnerability in the webchat widget’s npm dependency tree.
Changes:
- Bump
dompurifyfrom3.3.0to3.3.2inpackage.json. - Update
package-lock.jsonto resolvedompurify@3.3.2and refresh its metadata.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Pins dompurify to 3.3.2 to remediate the Snyk-reported vulnerability. |
| package-lock.json | Updates the lock to dompurify@3.3.2 (but currently has a root spec mismatch vs package.json). |
Lockfile refresh (no package.json change, resolved via existing caret ranges): - @emotion/react 11.14.0, @emotion/styled 11.14.1 - @reduxjs/toolkit 2.2.7 → 2.11.2 - moment 2.30.1, react-hot-toast 2.4.1 → 2.6.0 - react-markdown 9.0.3 → 9.1.0, react-remove-scroll 2.7.2 - remark-gfm 4.0.1, @braintree/sanitize-url 6.0.4 - redux 4.2.1 Pin bumps (patch/minor, same major): - @emotion/serialize 1.3.0 → 1.3.3 - dompurify 3.3.2 → 3.4.0 (supersedes snyk PRs #272, #261, #259, #256, #241, #233) - react-redux 7.2.8 → 7.2.9 (supersedes snyk PRs #242, #234, #36) Socket-client pinned at 5.0.0-beta.26 (current beta; latest tag is 4.9.2). Major bumps deferred: @emotion/cache 10→11, react-redux →9, redux →5, react-responsive →10, react-markdown →10, uuid →13, stylis →4, @braintree/sanitize-url →7. Build passes (UMD + ESM). tsc:check error count unchanged (75, pre-existing).
Lockfile refresh (no package.json change, resolved via existing caret ranges): - @emotion/react 11.14.0, @emotion/styled 11.14.1 - @reduxjs/toolkit 2.2.7 → 2.11.2 - moment 2.30.1, react-hot-toast 2.4.1 → 2.6.0 - react-markdown 9.0.3 → 9.1.0, react-remove-scroll 2.7.2 - remark-gfm 4.0.1, @braintree/sanitize-url 6.0.4 - redux 4.2.1 Pin bumps (patch/minor, same major): - @emotion/serialize 1.3.0 → 1.3.3 - dompurify 3.3.2 → 3.4.0 (supersedes snyk PRs #272, #261, #259, #256, #241, #233) - react-redux 7.2.8 → 7.2.9 (supersedes snyk PRs #242, #234, #36) Socket-client pinned at 5.0.0-beta.26 (current beta; latest tag is 4.9.2). Major bumps deferred: @emotion/cache 10→11, react-redux →9, redux →5, react-responsive →10, react-markdown →10, uuid →13, stylis →4, @braintree/sanitize-url →7. Build passes (UMD + ESM). tsc:check error count unchanged (75, pre-existing).
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-DOMPURIFY-15371376
Breaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Cross-site Scripting (XSS)