Skip to content

fix(security): bump dompurify to patch XSS and prototype pollution issues#622

Open
hitesh-shetty-cstk wants to merge 1 commit into
mainfrom
fix/dompurify-xss-prototype-pollution
Open

fix(security): bump dompurify to patch XSS and prototype pollution issues#622
hitesh-shetty-cstk wants to merge 1 commit into
mainfrom
fix/dompurify-xss-prototype-pollution

Conversation

@hitesh-shetty-cstk

Copy link
Copy Markdown
Contributor

What was the vulnerability

Our pinned dompurify version (^3.4.1) is affected by several sanitization-bypass (XSS) and prototype-pollution advisories fixed in later 3.4.x patch releases (e.g. a sanitization bypass fixed in 3.4.5, and follow-up hardening in subsequent patches). dompurify is used throughout the SDK to sanitize HTML before rendering, so a bypass in the sanitizer undermines that protection.

What the fix does

Bumps the dompurify dependency from ^3.4.1 to ^3.4.12 (the latest 3.4.x release) in package.json and regenerates the corresponding lockfile entry. No code changes were needed — this is a drop-in patch-level upgrade within the same major version.

How it was verified

  • Confirmed 3.4.12 is the latest published 3.4.x release on the npm registry.
  • Confirmed the version bump is contained to the dompurify entries in package.json / package-lock.json with no other lockfile drift.
  • No new dependency was introduced; dompurify was already a direct dependency.

🤖 Generated with Claude Code


Generated by Claude Code

…sues

Upgrades dompurify from 3.4.1 to 3.4.12 to pick up upstream sanitization
bypass and prototype pollution fixes released in the 3.4.x line.

Co-Authored-By: Claude <noreply@anthropic.com>
@hitesh-shetty-cstk
hitesh-shetty-cstk requested review from a team as code owners July 17, 2026 09:17
@github-actions

Copy link
Copy Markdown

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type Count (with fixes) Without fixes Threshold Result
🔴 Critical Severity 0 0 10 ✅ Passed
🟠 High Severity 0 0 25 ✅ Passed
🟡 Medium Severity 0 0 500 ✅ Passed
🔵 Low Severity 0 0 1000 ✅ Passed

⏱️ SLA Breach Summary

✅ No SLA breaches detected. All vulnerabilities are within acceptable time thresholds.

Severity Breaches (with fixes) Breaches (no fixes) SLA Threshold (with/no fixes) Status
🔴 Critical 0 0 15 / 30 days ✅ Passed
🟠 High 0 0 30 / 120 days ✅ Passed
🟡 Medium 0 0 90 / 365 days ✅ Passed
🔵 Low 0 0 180 / 365 days ✅ Passed

✅ BUILD PASSED - All security checks passed

@github-actions

Copy link
Copy Markdown

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 67.11% 2508 / 3737
🔵 Statements 65.99% 2548 / 3861
🔵 Functions 64.51% 449 / 696
🔵 Branches 61.4% 1513 / 2464
File CoverageNo changed files found.
Generated in workflow #860 for commit c42e58f by the Vitest Coverage Report Action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants