Bump dompurify and ngx-markdown in /report/report-ng

[dependabot]

Bumps dompurify to 3.3.2 and updates ancestor dependency ngx-markdown. These dependencies need to be updated together.

Updates dompurify from 3.1.4 to 3.3.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

DOMPurify 3.2.6

• Fixed several typos and removed clutter from our documentation, thanks @​Rotzbua
• Added matrix: as an allowed URI scheme, thanks @​kleinesfilmroellchen
• Added better config hardening against prototype pollution, thanks @​EffectRenan
• Added better handling of attribute removal, thanks @​michalnieruchalski-tiugo
• Added better configuration for aggressive mXSS scrubbing behavior, thanks @​BryanValverdeU
• Removed the script that caused the fake entry CVE-2025-48050

DOMPurify 3.2.5

• Added a check to the mXSS detection regex to be more strict, thanks @​masatokinugawa
• Added ESM type imports in source, removes patch function, thanks @​donmccurdy
• Added script to verify various TypeScript configurations, thanks @​reduckted
• Added more modern browsers to the Karma launchers list
• Added Node 23.x to tested runtimes, removed Node 17.x
• Fixed the generation of source maps, thanks @​reduckted
• Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @​hhk-png
• Fixed a few typos in the README file

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell
• Added purify.js and purify.min.js to exports, thanks @​Aetherinox
• Added better logic in case no window object is president, thanks @​yehuya
• Updated some dependencies called out by dependabot

... (truncated)

Commits

• 5e56114 Getting 3.x branch ready for 3.3.2 release (#1208)
• e8c95f4 fix: Fixed the broken package-lock.json
• 9636037 Update package-lock.json
• 5cad4ce Getting 3.x branch ready for 3.3.2 releas (#1205)
• 6fc446a Merge pull request #1175 from cure53/main
• 3b3bf91 Merge branch 'main' of github.com:cure53/DOMPurify
• 9863f41 chore: Preparing 3.3.1 release
• b4e0295 chore: Preparing 3.3.0 release
• 077746b build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1170)
• 4de68bb build(deps): bump actions/checkout from 5 to 6 (#1171)
• Additional commits viewable in compare view

Updates ngx-markdown from 14.0.1 to 21.1.0

Release notes

Sourced from ngx-markdown's releases.

v21.1.0

New features and enhancements

• Add support for emoji-toolkit 10.0.0, Unicode 16.0 (#619) (140336f7b257d009067ec8b3bfa7c3b11c1e6ce1) @​jfcere

Security fixes

• Bump lodash from 4.17.21 to 4.17.23 (#615) (0e150990bac39ce0287eaf5d2464e5c2f9af7056) @​dependabot[bot]
• Bump tar from 7.5.2 to 7.5.3 (#612) (37b852cea3b39d8b5471ce420be8ef39ae709026) @​dependabot[bot]
• Bump tar from 7.5.3 to 7.5.7 (#617) (a31ebbbc7f83ac359787c305e3c33cd1f8bd264b) @​dependabot[bot]
• chore: update angular-cli-ghpages to 3.0.2 (#620) (508c7f8c7f248ee46dbd8fd2ed6672a762187a08) @​jfcere

v21.0.1

Bug Fixes

• Add support for zone.js 0.16.0 (#609) @​fpaul-1A

Special Thanks

🥇 Thanks to @​fpaul-1A for his first contribution in (#609)

v21.0.0

Update Angular 21

Library has been updated to support Angular 21.

It is recommended to stick with ngx-markdown v20.x.x if you are using Angular 20.

New features and enhancements

• Update to Angular 21
• Update Marked dependency to 17.0.0
• Remove direct use of SecurityContext | SanitizeFunction type for MarkdownModuleConfig.sanitize parameter

⚠ Breaking changes

• Marked dependency has been updated to 17.0.0 and requires updating your project
• The configuration property MarkdownModuleConfig.sanitize no longer accepts a parameter of type SecurityContext | SanitizeFunction but requires the use of SANITIZE injection token instead (see sanitization for instruction)

☝ Please note that Zone.js is still needed for now and will be removed in a future version.

Commits

• feat!: update to angular 21 (#603) (3009e57) @​jfcere
• refactor!: Remove MarkdownModuleConfig.sanitize deprecated type (#604) (5f0a695) @​jfcere
• feat!: update marked dependency to 17 (#605) (05595e4) @​jfcere

v20.1.0

New features and enhancements

• Add support for marked v16.0.0 (#596) (cb371880810fcb651fae7f47de65426da8c10a27) @​U239087, @​jfcere
• Add support for custom sanitizer function (#597) (256a96db00ebe34e218f3ee62ebc1ecf2b2f9068) @​jfcere

... (truncated)

Commits

• 8b20c07 21.1.0
• 508c7f8 chore: update angular-cli-ghpages to 3.0.2 (#620)
• 140336f chore: add support for emoji-toolkit 10.0.0 (#619)
• a31ebbb Bump tar from 7.5.3 to 7.5.7 (#617)
• 0e15099 Bump lodash from 4.17.21 to 4.17.23 (#615)
• 37b852c Bump tar from 7.5.2 to 7.5.3 (#612)
• 95ae8f2 21.0.1
• d89e94c Bump @​modelcontextprotocol/sdk and @​angular/cli (#610)
• 6a0d3c0 fix: support for zone.js 0.16.0 (#609)
• c5a9426 Bump express from 5.1.0 to 5.2.1 (#607)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.