There can be more than Notion and Miro. AFFiNE(pronounced [ษโfain]) is a next-gen knowledge base that brings planning, sorting and creating all together. Privacy first, open-source, customizable and ready to use.
chore: bump up dompurify version to v3.3.2 [SECURITY] (#14581)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [dompurify](https://redirect.github.com/cure53/DOMPurify) | [`3.3.0` โ `3.3.2`](https://renovatebot.com/diffs/npm/dompurify/3.3.0/3.3.2) |  |  | ### GitHub Vulnerability Alerts #### [CVE-2026-0540](https://nvd.nist.gov/vuln/detail/CVE-2026-0540) DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts. --- ### Release Notes <details> <summary>cure53/DOMPurify (dompurify)</summary> ### [`v3.3.2`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.3.2): DOMPurify 3.3.2 [Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.1...3.3.2) - Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters - Fixed a prototype pollution issue when working with custom elements, thanks [@​christos-eth](https://redirect.github.com/christos-eth) - Fixed a lenient config parsing in `_isValidAttribute`, thanks [@​christos-eth](https://redirect.github.com/christos-eth) - Bumped and removed several dependencies, thanks [@​Rotzbua](https://redirect.github.com/Rotzbua) - Fixed the test suite after bumping dependencies, thanks [@​Rotzbua](https://redirect.github.com/Rotzbua) ### [`v3.3.1`](https://redirect.github.com/cure53/DOMPurify/releases/tag/3.3.1): DOMPurify 3.3.1 [Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/3.3.0...3.3.1) - Updated `ADD_FORBID_CONTENTS` setting to extend default list, thanks [@​MariusRumpf](https://redirect.github.com/MariusRumpf) - Updated the ESM import syntax to be more correct, thanks [@​binhpv](https://redirect.github.com/binhpv) </details> --- ### Configuration ๐ **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). ๐ฆ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. โป **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. ๐ **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTYuMCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
R
renovate[bot] committed
09fa1a8e4e803cc4baa472bf74afd078391555e8
Parent: c249011
Committed by GitHub <noreply@github.com>
on 3/6/2026, 11:04:08 AM