build(deps): bump dompurify from 3.2.5 to 3.3.2 in /catalog

[dependabot]

Bumps dompurify from 3.2.5 to 3.3.2.

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

DOMPurify 3.2.6

• Fixed several typos and removed clutter from our documentation, thanks @​Rotzbua
• Added matrix: as an allowed URI scheme, thanks @​kleinesfilmroellchen
• Added better config hardening against prototype pollution, thanks @​EffectRenan
• Added better handling of attribute removal, thanks @​michalnieruchalski-tiugo
• Added better configuration for aggressive mXSS scrubbing behavior, thanks @​BryanValverdeU
• Removed the script that caused the fake entry CVE-2025-48050

Commits

• 5e56114 Getting 3.x branch ready for 3.3.2 release (#1208)
• e8c95f4 fix: Fixed the broken package-lock.json
• 9636037 Update package-lock.json
• 5cad4ce Getting 3.x branch ready for 3.3.2 releas (#1205)
• 6fc446a Merge pull request #1175 from cure53/main
• 3b3bf91 Merge branch 'main' of github.com:cure53/DOMPurify
• 9863f41 chore: Preparing 3.3.1 release
• b4e0295 chore: Preparing 3.3.0 release
• 077746b build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1170)
• 4de68bb build(deps): bump actions/checkout from 5 to 6 (#1171)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This PR bumps dompurify from 3.2.5 to 3.3.2 in the /catalog package, bringing in several important security and bug fixes.

• Security fixes: Addresses a possible XSS bypass via jsdom's raw-text tag parsing, a prototype pollution issue with custom elements, and lenient config parsing in _isValidAttribute.
• Compatibility: The new version adds an engines field requiring node >=20. The project already declares "node": "20" in catalog/package.json and CI reads that value, so there is no compatibility concern.
• Lock file: Both the node_modules/dompurify and legacy dompurify entries in package-lock.json are correctly updated with the new version, resolved URL, and integrity hash.

Confidence Score: 5/5

• This PR is safe to merge — it is a routine, automated security-motivated dependency bump with no breaking changes.
• The change is confined to version strings and integrity hashes in package.json and package-lock.json. The new Node.js engine constraint (>=20) is already satisfied by the project. The upstream release notes describe only security fixes and minor additions with no breaking API changes.
• No files require special attention.

Important Files Changed

Filename	Overview
catalog/package.json	Updated dompurify dependency constraint from ^3.2.5 to ^3.3.2; no other changes. The project already requires Node 20, compatible with dompurify 3.3.2's new engine constraint.
catalog/package-lock.json	Lock file updated to resolve dompurify to 3.3.2 with new integrity hash and the added engines field (node >=20); consistent with the package.json change.

Sequence Diagram

sequenceDiagram
    participant App as Catalog App
    participant DP as DOMPurify 3.3.2
    participant DOM as Browser DOM

    App->>DP: DOMPurify.sanitize(dirtyHTML, config)
    Note over DP: Validates config (hardened against prototype pollution)
    DP->>DP: Parse HTML (improved raw-text / textarea handling)
    DP->>DP: Check attributes (_isValidAttribute stricter config parsing)
    DP->>DP: Check custom elements (prototype pollution fix)
    DP->>DOM: Return sanitized HTML string
    DOM-->>App: Safe HTML rendered

Loading

_{Last reviewed commit: 36c5c4d}