Bump dompurify and jspdf

[dependabot]

Bumps dompurify to 3.3.1 and updates ancestor dependency jspdf. These dependencies need to be updated together.

Updates dompurify from 2.5.8 to 3.3.1

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

DOMPurify 3.2.6

• Fixed several typos and removed clutter from our documentation, thanks @​Rotzbua
• Added matrix: as an allowed URI scheme, thanks @​kleinesfilmroellchen
• Added better config hardening against prototype pollution, thanks @​EffectRenan
• Added better handling of attribute removal, thanks @​michalnieruchalski-tiugo
• Added better configuration for aggressive mXSS scrubbing behavior, thanks @​BryanValverdeU
• Removed the script that caused the fake entry CVE-2025-48050

DOMPurify 3.2.5

• Added a check to the mXSS detection regex to be more strict, thanks @​masatokinugawa
• Added ESM type imports in source, removes patch function, thanks @​donmccurdy
• Added script to verify various TypeScript configurations, thanks @​reduckted
• Added more modern browsers to the Karma launchers list
• Added Node 23.x to tested runtimes, removed Node 17.x
• Fixed the generation of source maps, thanks @​reduckted
• Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @​hhk-png
• Fixed a few typos in the README file

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell
• Added purify.js and purify.min.js to exports, thanks @​Aetherinox
• Added better logic in case no window object is president, thanks @​yehuya
• Updated some dependencies called out by dependabot
• Updated license files etc to show the correct year

DOMPurify 3.2.3

• Fixed two conditional sanitizer bypasses discovered by @​parrot409 and @​Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @​parrot409

DOMPurify 3.2.2

... (truncated)

Commits

• 6fc446a Merge pull request #1175 from cure53/main
• 3b3bf91 Merge branch 'main' of github.com:cure53/DOMPurify
• 9863f41 chore: Preparing 3.3.1 release
• b4e0295 chore: Preparing 3.3.0 release
• 077746b build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1170)
• 4de68bb build(deps): bump actions/checkout from 5 to 6 (#1171)
• 4c76b6f Use correct ESM import syntax (#1173)
• 27e8496 Merge pull request #1168 from MariusRumpf/add-forbid-contents
• a920096 Add ADD_FORBID_CONTENTS setting to extend default list
• ac64660 Merge pull request #1163 from cure53/dependabot/github_actions/actions/setup-...
• Additional commits viewable in compare view

Updates jspdf from 2.5.1 to 4.1.0

Release notes

Sourced from jspdf's releases.

v4.1.0

This release fixes several security issues.

What's Changed

• Upgrade optional dompurify dependency to 3.3.1 in parallax/jsPDF#3948
• Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution vulnerability
• Fix Stored XMP Metadata Injection (Spoofing & Integrity Violation) vulnerability
• Fix Shared State Race Condition in addJS Method vulnerability
• Fix Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder vulnerability

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

v4.0.0

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

• [Snyk] Upgrade @​babel/runtime from 7.28.3 to 7.28.4 by @​MrRio in parallax/jsPDF#3895
• fix: cell function now properly accepts align parameter by @​vishal-rathod-07 in parallax/jsPDF#3896
• Remove duplicated function "ga" from WebPDecoder.js by @​jvdp in parallax/jsPDF#3902
• Fix font state management issue #3890 by @​srikanth-s2003 in parallax/jsPDF#3891
• Fix pages property to always return current array reference ( #3898 ) by @​Opineppes in parallax/jsPDF#3899
• Fix jsPDF + Vite compatibility issue #3851 by @​tishajain25 in parallax/jsPDF#3903
• Do not add pages dynamically unless autoPaging is enabled by @​anmiles in parallax/jsPDF#3915
• Fix: Context2d font regex too restrictive ( #3904 ) by @​Opineppes in parallax/jsPDF#3906
• Fix Incorrect Typing for Margins in the TableConfig Interface Definition by @​Maito1794 in parallax/jsPDF#3816

New Contributors

• @​survivant made their first contribution in parallax/jsPDF#3897
• @​vishal-rathod-07 made their first contribution in parallax/jsPDF#3896
• @​jvdp made their first contribution in parallax/jsPDF#3902
• @​srikanth-s2003 made their first contribution in parallax/jsPDF#3891
• @​Opineppes made their first contribution in parallax/jsPDF#3899
• @​tishajain25 made their first contribution in parallax/jsPDF#3903
• @​anmiles made their first contribution in parallax/jsPDF#3915
• @​josephyi made their first contribution in parallax/jsPDF#3907
• @​Maito1794 made their first contribution in parallax/jsPDF#3816

Full Changelog: parallax/jsPDF@v3.0.3...v3.1.0

v3.0.3

This release fixes regressions with PNG encoding that were introduced in v3.0.2.

What's Changed

• Fix division by zero when calculating word spacing by @​alxndr-pggm in parallax/jsPDF#3879
• fix scaling of form object bounding boxes by @​HackbrettXXX in parallax/jsPDF#3888

... (truncated)

Commits

• 0227381 4.1.0
• ae4b93f Merge commit from fork
• 2863e5c Merge commit from fork
• efe54bf Merge commit from fork
• da291a5 Merge commit from fork
• 685e41e Bump @​koa/cors and local-web-server (#3951)
• 8cc22a5 Bump tmp, inquirer and karma (#3945)
• 008b276 Bump sha.js from 2.4.11 to 2.4.12 (#3946)
• ff66d52 Bump vite from 5.4.20 to 5.4.21 in /examples/vite (#3949)
• bcf79f2 Bump cipher-base from 1.0.4 to 1.0.7 (#3942)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.