Added better configurability for comment scrubbing default behavior
Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu
Fixed some smaller issues in README and other documentation
DOMPurify 2.5.2
Addressed and fixed a mXSS variation found by @kevin-mizu
Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
Updated tests for older Safari and Chrome versions
DOMPurify 2.5.1
Fixed an mXSS sanitizer bypass reported by @icesfont
Added new code to track element nesting depth
Added new code to enforce a maximum nesting depth of 255
Added coverage tests and necessary clobbering protections
Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.
DOMPurify 2.5.0
Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
Updated the LICENSE file to show the accurate year number
Updated several build and test dependencies
DOMPurify 2.4.9
Fixed another conditional bypass caused by Processing Instructions, thanks @Ry0taK
Fixed the regex for HTML Custom Element detection, thanks @AlekseySolovey3T
DOMPurify 2.4.8
Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @Slonser
Bumps the npm_and_yarn group with 12 updates in the /app/ui directory:
2.3.8
2.5.4
0.5.34
0.5.35
7.12.13
7.25.7
4.2.1
4.2.3
0.2.0
0.2.2
0.10.53
0.10.64
4.17.1
4.21.1
1.15.1
1.15.9
1.2.6
1.2.8
6.1.11
6.2.1
1.2.3
1.2.5
1.22.10
1.22.22
Bumps the npm_and_yarn group with 10 updates in the /app/ui/mock-server directory:
7.12.1
7.25.7
0.2.0
0.2.2
4.17.1
4.20.0
2.1.3
2.2.3
3.0.4
3.1.2
1.2.5
1.2.8
2.29.1
2.30.1
1.2.3
1.2.5
2.24.0
3.13.0
4.1.0
4.1.1
Bumps the npm_and_yarn group with 2 updates in the /drone-authorizer directory: ws and puppeteer.
Updates
dompurify
from 2.3.8 to 2.5.4Release notes
Sourced from dompurify's releases.
... (truncated)
Commits
10c1261
docs: Updated README ever so slightly1c92880
test: Fixed two more tests for MSIE11 and Edge 181401208
test: Fixed more tests for MSIE and Edge 182c6410a
test: Fixed several new tests for MSIE11 and Edge 182c9bca9
test: Changed github config to include MSIE tests for 2.xb188787
chore: Preparing 2.5.4 release707b3d6
fix: Added a better for for the MSIE iNaN issue62fe3be
test: Attempting to get MSIE 11 back into the browser test arrayf3a9710
fix: Fixed an issue with MSIE and no support for Number.isNaNe1ddfc7
Merge branch '2.x' of github.com:cure53/DOMPurify into 2.xUpdates
moment-timezone
from 0.5.34 to 0.5.35Release notes
Sourced from moment-timezone's releases.
Changelog
Sourced from moment-timezone's changelog.
Commits
b8fb1ba
Build moment-timezone 0.5.35f1b5e5a
Add changelog for 0.5.358b0eb0c
Bump version to 0.5.357915ac5
Bugfix: Prevent cleartext transmission of tz data during buildce955a3
Bugfix: Fix command injection vulnerability in grunt tzdata pipeline9430b4c
Merge remote-tracking branch 'origin/master' into developfeaf900
Updated contributing.md + added 2021e files704cfac
updated contributing.md877c863
Updated contributing.md + added 2021e files5a3015c
updated contributing.mdUpdates
@babel/traverse
from 7.12.13 to 7.25.7Release notes
Sourced from
@babel/traverse
's releases.... (truncated)
Changelog
Sourced from
@babel/traverse
's changelog.... (truncated)
Commits
2533cfb
v7.25.7611d958
[babel 8] CreateTSClassImplements|TSInterfaceHeritage
nodes (#16731)506bf91
RemoveBABEL_TYPES_8_BREAKING
flag and enable it by default (#16817)9e14f7d
chore: Enable more lint rules (#16827)e69a7e5
fix: issue with node path keys updated on unrelated paths (#16814)7467c9d
[Babel 8] Remove someScope
methods (#16705)0a55713
[Babel 8] RemoveDecimalLiteral
AST (#16807)69d65f1
[babel 8] Require Node.js^18.20.0 || ^20.17.0 || >=22.8.0
(#16800)2f72b97
v7.25.6faceae9
fix:path.getAssignmentIdentifiers
may beundefined
(#16727)Updates
browserify-sign
from 4.2.1 to 4.2.3Changelog
Sourced from browserify-sign's changelog.
Commits
bf2c3ec
v4.2.39247adf
[patch] widen support to 0.12f427270
[Deps] update `parse-asn187f3a35
[Dev Deps] updateaud
,npmignore
,tape
fb261ce
[Deps] updateelliptic
4d0ee49
[patch] drop minimum node support to v19e2bf12
[Deps] pinhash-base
to ~3.0, due to a breaking change168e16f
[Deps] pinelliptic
due to a breaking change37a4758
[actions] remove redundant finisher4af5a90
v4.2.2Maintainer changes
This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.
Updates
decode-uri-component
from 0.2.0 to 0.2.2Release notes
Sourced from decode-uri-component's releases.
Commits
a0eea46
0.2.2980e0bf
Prevent overwriting previously decoded tokens3c8a373
0.2.176abc93
Switch to GitHub workflows746ca5d
Fix issue where decode throws - fixes #6486d7e2
Update license (#1)a650457
Tidelift tasks66e1c28
Meta tweaksUpdates
es5-ext
from 0.10.53 to 0.10.64Release notes
Sourced from es5-ext's releases.
... (truncated)
Changelog
Sourced from es5-ext's changelog.
... (truncated)
Commits
f76b03d
chore: Release v0.10.642881acd
chore: Bump dependenciesc2e2bb9
fix: Revert update meant to fix Powershell issue, as it's a regression16f2b72
docs: Fix date in the changelogde4e03c
chore: Release v0.10.633fd53b7
chore: Upgradelint-staged
to v13bf8ed79
chore: Ensure postinstall script does not crash on Windows2cbbb07
chore: Bump dependencies22d0416
chore: Bump LICENSE yeara52e957
fix: Support ES2015+ function definitions infunction#toStringTokens()
Updates
express
from 4.17.1 to 4.21.1Release notes
Sourced from express's releases.
... (truncated)
Changelog
Sourced from express's changelog.
... (truncated)
Commits
8e229f9
4.21.1a024c8a
fix(deps): cookie@0.7.17e562c6
4.21.01bcde96
fix(deps): qs@6.13.0 (#5946)7d36477
fix(deps): serve-static@1.16.2 (#5951)40d2d8f
fix(deps): finalhandler@1.3.177ada90
Deprecate"back"
magic string in redirects (#5935)21df421
4.20.04c9ddc1
feat: upgrade to serve-static@0.16.09ebe5d5
feat: upgrade to send@0.19.0 (#5928)Maintainer changes
This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.
Updates
follow-redirects
from 1.15.1 to 1.15.9Commits
e4e55c7
Release version 1.15.9 of the npm package.31a1abf
Attempt much more gentle detection.d2aaa97
Fix url field.62558f0
Release version 1.15.8 of the npm package.a8d1cee
Return subtlety.458ca8e
Fix native URL test for Node 20.ca49e44
Handle KeepAlive connections in tests.f3711d7
Test on Node 20 and 22.fda0faf
Fix typo.760757f
Release version 1.15.7 of the npm package.Updates
minimist
from 1.2.6 to 1.2.8Changelog
Sourced from minimist's changelog.