[Snyk] Upgrade dompurify from 2.3.8 to 2.4.9

[Eiromplays]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade dompurify from 2.3.8 to 2.4.9.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 14 versions ahead of your current version.
• The recommended version was released 25 days ago, on 2024-03-21.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	572/1000 Why? Proof of Concept exploit, CVSS 9.3	Proof of Concept
	Improper Input Validation SNYK-JS-FOLLOWREDIRECTS-6141137	572/1000 Why? Proof of Concept exploit, CVSS 9.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	572/1000 Why? Proof of Concept exploit, CVSS 9.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	572/1000 Why? Proof of Concept exploit, CVSS 9.3	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	572/1000 Why? Proof of Concept exploit, CVSS 9.3	Proof of Concept
	Prototype Pollution SNYK-JS-JSON5-3182856	572/1000 Why? Proof of Concept exploit, CVSS 9.3	Proof of Concept
	Prototype Pollution SNYK-JS-JSON5-3182856	572/1000 Why? Proof of Concept exploit, CVSS 9.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	572/1000 Why? Proof of Concept exploit, CVSS 9.3	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: dompurify

• 2.4.9 - 2024-03-21
  
  • Fixed another conditional bypass caused by Processing Instructions, thanks @ Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @ AlekseySolovey3T
• 2.4.8 - 2024-03-19
  
  • Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @ Slonser
• 2.4.7 - 2023-07-11
• 2.4.6 - 2023-07-10
• 2.4.5 - 2023-03-01
• 2.4.4 - 2023-02-13
• 2.4.3 - 2023-01-06
• 2.4.2 - 2023-01-05
• 2.4.1 - 2022-11-10
• 2.4.0 - 2022-08-24
• 2.3.12 - 2022-08-23
• 2.3.11 - 2022-08-23
• 2.3.10 - 2022-07-18
• 2.3.9 - 2022-07-11
• 2.3.8 - 2022-05-13

from dompurify GitHub release notes

Commit messages

Package name: dompurify

• 79cfb37 chore: Preparing 2.4.9 release
• 0940755 fix: Merged relevant changes from main for 2.4.9
• 416ba67 chore: Preparing 2.4.8 release
• 4035e3a chore: Preparing 2.4.8. release
• f0e75b0 fix: cherry-picked fixes for XML & CE bypass
• ef731c0 chore: Preparing 2.4.7. release
• 5b7dff9 chore: Preparing 2.4.6 release
• a01c083 Fix: addressed a bypass on jsdom 22 when noframes tag is allowed
• f464d95 chore: preparing 2.4.5 release
• fa4e8ee chore: preparing 2.4.4 release
• f5c25ac see #767
• 08e9fab test: Added 2.x tag to 2.x branch actions
• 5f766bc See #761
• 90326ef Merge pull request #750 from cure53/dependabot/npm_and_yarn/json5-1.0.2
• fade506 chore: Prepare 2.4.3, final feature release compatible w. MSIE10/11
• 3afe389 build(deps): bump json5 from 1.0.1 to 1.0.2
• f1e180f fix: merged from latest main
• 7707778 Update README.md
• 5267b04 chore: Preparing 2.4.2 release
• d1dd037 fix: Fixed a prototype pollution bug reported by @ kevin_mizu
• 24d2a7f Merge pull request #748 from tosmolka/tosmolka/747
• 7de86a0 Fix formatting
• 191cc00 Fix Trusted Types Sink violation with empty input and NAMESPACE
• 4945074 Merge pull request #745 from cure53/dependabot/npm_and_yarn/qs-and-body-parser-6.11.0

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs