Fix CVE-2026-0540: Override dompurify to version 3.3.2 (#13230)

Co-authored-by: OpenHands CVE Fix Bot <openhands@all-hands.dev>
2026-03-22 05:37:20 +08:00 · 2026-03-05 14:42:20 -06:00
parent cfbf29f6e8
commit dcef5ae1f1
2 changed files with 9 additions and 12 deletions
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -8526,10 +8526,13 @@
      "license": "MIT"
    },
    "node_modules/dompurify": {
-      "version": "3.2.7",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.7.tgz",
-      "integrity": "sha512-WhL/YuveyGXJaerVlMYGWhvQswa7myDG17P7Vu65EWC05o8vfeNbvNf4d/BOvH99+ZW+LlQsc1GDKMa1vNK6dw==",
+      "version": "3.3.2",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.2.tgz",
+      "integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==",
      "license": "(MPL-2.0 OR Apache-2.0)",
+      "engines": {
+        "node": ">=20"
+      },
      "optionalDependencies": {
        "@types/trusted-types": "^2.0.7"
      }
@@ -13997,15 +14000,6 @@
        "web-vitals": "^5.1.0"
      }
    },
-    "node_modules/posthog-js/node_modules/dompurify": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.1.tgz",
-      "integrity": "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==",
-      "license": "(MPL-2.0 OR Apache-2.0)",
-      "optionalDependencies": {
-        "@types/trusted-types": "^2.0.7"
-      }
-    },
    "node_modules/preact": {
      "version": "10.28.2",
      "resolved": "https://registry.npmjs.org/preact/-/preact-10.28.2.tgz",
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -127,5 +127,8 @@
    "workerDirectory": [
      "public"
    ]
+  },
+  "overrides": {
+    "dompurify": "3.3.2"
  }
 }