fix(ui): bump transitive dompurify to 3.4.10 to patch XSS advisories (#11636)

This commit is contained in:
Alejandro Bailo
2026-06-18 12:00:58 +02:00
committed by GitHub
parent 82d37c4978
commit 2111d083df
3 changed files with 10 additions and 4 deletions
+1
View File
@@ -17,6 +17,7 @@ All notable changes to the **Prowler UI** are documented in this file.
### 🔐 Security
- Bump vulnerable `Next.js`, React, AI SDK, `postcss`, `hono`, `qs`, `esbuild`, and Alpine OpenSSL packages (`libcrypto3` and `libssl3`) [(#11581)](https://github.com/prowler-cloud/prowler/pull/11581)
- Bump transitive `dompurify` from 3.4.2 to 3.4.10, patching XSS sanitization bypass advisories [(#11636)](https://github.com/prowler-cloud/prowler/pull/11636)
---
+5 -4
View File
@@ -29,6 +29,7 @@ overrides:
qs: 6.15.2
express-rate-limit: 8.5.1
uuid: 11.1.1
dompurify: 3.4.10
importers:
@@ -5593,8 +5594,8 @@ packages:
dom-helpers@5.2.1:
resolution: {integrity: sha512-nRCa7CK3VTrM2NmGkIy4cbK7IZlgBE/PYMn55rrXefr5xXDP0LdtfPnblFDoVdcAfslJ7or6iqAUnx0CCGIWQA==}
dompurify@3.4.2:
resolution: {integrity: sha512-lHeS9SA/IKeIFFyYciHBr2n0v1VMPlSj843HdLOwjb2OxNwdq9Xykxqhk+FE42MzAdHvInbAolSE4mhahPpjXA==}
dompurify@3.4.10:
resolution: {integrity: sha512-0xzNv0e7oYC6yyuOGZIABPM4qtg3QxLFniDNPP4ZP90wR8Yq3zgwpRbrNiT4N3IKqDbbYFEJLV+JWEs19aZ//w==}
dotenv-expand@12.0.3:
resolution: {integrity: sha512-uc47g4b+4k/M/SeaW1y4OApx+mtLWl92l5LMPP0GNXctZqELk+YGgOPIIC5elYmUH4OuoK3JLhuRUYegeySiFA==}
@@ -15168,7 +15169,7 @@ snapshots:
'@babel/runtime': 7.28.6
csstype: 3.2.3
dompurify@3.4.2:
dompurify@3.4.10:
optionalDependencies:
'@types/trusted-types': 2.0.7
@@ -16682,7 +16683,7 @@ snapshots:
d3-sankey: 0.12.3
dagre-d3-es: 7.0.14
dayjs: 1.11.19
dompurify: 3.4.2
dompurify: 3.4.10
es-toolkit: 1.46.1
katex: 0.16.27
khroma: 2.1.0
+4
View File
@@ -45,6 +45,10 @@ overrides:
# use the random v4 generator only, so the bug isn't reachable in practice,
# but the override unifies the tree on a patched version.
"uuid": "11.1.1"
# GHSA-vxr8-fq34-vvx9 (+ several related XSS sanitization bypasses): DOMPurify < 3.4.9,
# pulled in transitively via streamdown > mermaid (which wants ^3.3.1). Pinned to 3.4.10
# (fixes all open advisories; 3.4.11 is < 24h old and blocked by minimumReleaseAge).
"dompurify": "3.4.10"
# --- Level 1: Minimum Release Age ---
# Packages must be published for at least 1 day before they can be installed.