build(deps): bump dompurify from 3.2.5 to 3.3.1 in /catalog

[dependabot]

Bumps dompurify from 3.2.5 to 3.3.1.

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

DOMPurify 3.2.6

• Fixed several typos and removed clutter from our documentation, thanks @​Rotzbua
• Added matrix: as an allowed URI scheme, thanks @​kleinesfilmroellchen
• Added better config hardening against prototype pollution, thanks @​EffectRenan
• Added better handling of attribute removal, thanks @​michalnieruchalski-tiugo
• Added better configuration for aggressive mXSS scrubbing behavior, thanks @​BryanValverdeU
• Removed the script that caused the fake entry CVE-2025-48050

Commits

• 6fc446a Merge pull request #1175 from cure53/main
• 3b3bf91 Merge branch 'main' of github.com:cure53/DOMPurify
• 9863f41 chore: Preparing 3.3.1 release
• b4e0295 chore: Preparing 3.3.0 release
• 077746b build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1170)
• 4de68bb build(deps): bump actions/checkout from 5 to 6 (#1171)
• 4c76b6f Use correct ESM import syntax (#1173)
• 27e8496 Merge pull request #1168 from MariusRumpf/add-forbid-contents
• a920096 Add ADD_FORBID_CONTENTS setting to extend default list
• ac64660 Merge pull request #1163 from cure53/dependabot/github_actions/actions/setup-...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This PR bumps dompurify from 3.2.5 to 3.3.1 in the /catalog package, bringing several security and feature improvements across the intermediate releases.

Key highlights from the intermediate releases:

• 3.2.6: Hardened config against prototype pollution, improved attribute removal handling, added more aggressive mXSS scrubbing behavior, and removed the script associated with CVE-2025-48050.
• 3.2.7: Improved handling of potentially risky content inside CDATA elements, improved regex for raw-text elements (including textareas), and better animated href attribute checking.
• 3.3.0: Fixed a slot element duplication between SVG and HTML allow-lists, added support for functions in ADD_ATTR / ADD_TAGS.
• 3.3.1: Corrected ADD_FORBID_CONTENTS to extend the default list (rather than replace it) and fixed ESM import syntax.

Both catalog/package.json and catalog/package-lock.json are updated consistently (version, resolved URL, and integrity hash). No issues were identified with this dependency bump.

Confidence Score: 5/5

• This PR is safe to merge — it is a routine dependency bump with security fixes and no breaking changes.
• The change is limited to version and integrity hash updates for dompurify in package.json and package-lock.json. The update is within the same major version (3.x), the lock file is internally consistent, and the intermediate releases contain security hardening improvements (including a CVE fix) with no reported breaking changes.
• No files require special attention.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[catalog/package.json\ndompurify ^3.2.5] -->|Dependabot bump| B[catalog/package.json\ndompurify ^3.3.1]
    B --> C[catalog/package-lock.json\nResolved: dompurify-3.3.1.tgz\nNew integrity hash]
    C --> D{Security & Feature Improvements}
    D --> E[3.2.6: CVE-2025-48050 fix\nPrototype pollution hardening\nmXSS scrubbing improvements]
    D --> F[3.2.7: CDATA & raw-text element\nregex improvements\nAnimated href checks]
    D --> G[3.3.0: slot element fix\nADD_ATTR / ADD_TAGS\naccept functions]
    D --> H[3.3.1: ADD_FORBID_CONTENTS\nextends default list\nESM import fix]

Loading

_{Last reviewed commit: d772c4f}

[dependabot]

Superseded by #4757.