build(deps): bump dompurify from 3.3.1 to 3.4.0

[dependabot]

Bumps dompurify from 3.3.1 to 3.4.0.

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

Commits

• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• Additional commits viewable in compare view

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
transcriptr	Ready	Preview, Comment	Apr 19, 2026 5:36pm

[kilo-code-bot]

Code Review Roast 🔥

Verdict: 1 Issue Found | Recommendation: Merge after consideration

Overview

Severity	Count
💡 suggestion	1

Issue Details (click to expand)

File	Line	Roast
N/A	N/A	You're still using npm? In this economy? Bun's faster, safer, and doesn't treat your node_modules like a hoarder’s basement.

---

🏆 Best part: This security bump for DOMPurify plugs some serious holes — prototype pollution and mXSS fixes? That's the kind of update that makes me feel like the codebase might not implode tomorrow.

💀 Worst part: The npm thing. It's like driving a Pinto to a demolition derby.

📊 Overall: A solid, if unexciting, dependency update. Like getting your oil changed — necessary, but nobody's throwing a parade.

Files Reviewed (1 file)

• package-lock.json - 1 issue

---

_{Reviewed by grok-code-fast-1:optimized:free · 142,750 tokens}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud