`dompurify`

Ecosystem:
npm

Package URL:
pkg:npm/dompurify

Total PRs:
5,301 Dependabot PRs

Latest PR:
about 5 hours ago

Unique Repositories:
3,229 repositories

Unique Repos (30 days):
406 repositories

Security Advisories

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

GHSA-v9jr-rg53-9pgp CVE-2026-41238 MODERATE published about 1 month ago • updated 4 days ago

## Summary DOMPurify versions 3.0.1 through 3.3.3 (latest) are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOM...

DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation

GHSA-39q2-94rc-95cp MODERATE published about 2 months ago • updated 5 days ago

## Summary In `src/purify.ts:1117-1123`, `ADD_TAGS` as a function (via `EXTRA_ELEMENT_HANDLING.tagCheck`) bypasses `FORBID_TAGS` due to short-circu...

View all 17 advisories

Recent PRs

RSS Feed

Bump the npm-nonbreaking group across 1 directory with 4 updates

TheRemyyy/arden-lang #77

3.4.5 → 3.4.7 Patch PR

Open about 5 hours ago 2 comments

Update dompurify requirement from ^3.2.6 to ^3.4.7 in /superset-frontend/plugins/legacy-preset-chart-nvd3

diwgpt/iris-ss #110

^3.2.6 → ^3.4.7 Minor PR

Open about 7 hours ago 1 comment

chore(deps)(deps): bump the prod-patch group across 1 directory with 7 updates

carlos2280/NexoTTLearn #38

3.4.3 → 3.4.7 Patch PR

Open about 9 hours ago 1 comment

chore(deps): bump dompurify from 3.3.1 to 3.4.7

midnightntwrk/midnight-docs #977

3.3.1 → 3.4.7 Minor PR

Open about 10 hours ago 1 comment

build(deps): bump dompurify from 3.4.5 to 3.4.7

Abelion512/lembaranz #121

3.4.5 → 3.4.7 Patch PR

Open about 10 hours ago 2 comments

chore(deps): bump the npm_and_yarn group across 1 directory with 12 updates

davins56/Anima-Protocol #25

3.3.1 → 3.4.7 Minor PR

Open about 10 hours ago 3 comments

build(deps): bump the production-dependencies group across 1 directory with 17 updates

leego972/virellestudios #39

3.4.5 → 3.4.7 Patch PR

Open about 10 hours ago 1 comment

chore(deps): bump the production-dependencies group across 1 directory with 18 updates

Yichan-wu/olympus-os-project #25

3.4.2 → 3.4.7 Patch PR

Open about 15 hours ago 1 comment

build(deps): Bump dompurify from 3.4.5 to 3.4.7

siro33950/releash #1078

3.4.5 → 3.4.7 Patch PR

Open 1 day ago 3 comments

chore(deps): bump the npm_and_yarn group across 1 directory with 17 updates

lhy8888/uptime #67

3.3.3 → 3.4.0 Minor PR

Closed 1 day ago 2 comments

chore(deps): bump the production-dependencies group across 1 directory with 21 updates

BradGroux/veritas-kanban #425

3.4.3 → 3.4.7 Patch PR

Closed 1 day ago 1 comment

chore(deps): bump the production-dependencies group across 1 directory with 13 updates

buggyblues/shadow #331

3.4.0 → 3.4.7 Patch PR

Open 1 day ago 3 comments

⬆️(deps): Bump the minor-and-patch group with 7 updates

kryoware/dashy #4

3.4.5 → 3.4.7 Patch PR

Open 1 day ago 2 comments

Build(deps): Bump the npm_and_yarn group across 1 directory with 27 updates

EmilynnJ/ragflow #1

3.1.6 → 3.4.0 Minor PR

Open 2 days ago 4 comments

chore(deps)(deps): bump the minor-and-patch group with 4 updates

rumeadia-dotcom/ing0415 #282

3.4.5 → 3.4.7 Patch PR

Open 2 days ago 1 comment

Bump the minor-and-patch group across 1 directory with 21 updates

Rllyyy/repeatio #526

3.4.3 → 3.4.7 Patch PR

Open 2 days ago 1 comment

Bump the npm_and_yarn group across 3 directories with 14 updates

Cyptopimpinainteazy/remix-project #1

3.2.5 → 3.4.0 Minor PR

Open 2 days ago 1 comment

chore(deps): bump dompurify from 3.4.5 to 3.4.7

camster91/ashbi-platform #173

3.4.5 → 3.4.7 Patch PR

Open 2 days ago 1 comment

⬆️(deps): Bump the minor-and-patch group across 1 directory with 9 updates

k-takahashi-m3/dashy #15

3.3.2 → 3.4.7 Minor PR

Open 2 days ago 2 comments

⬆️(deps): Bump the minor-and-patch group across 1 directory with 9 updates

jedommo/dashy #15

3.3.2 → 3.4.7 Minor PR

Open 2 days ago 2 comments

⬆️(deps): Bump the minor-and-patch group across 1 directory with 9 updates

fabiuxxlinuxx/dashy #16

3.3.2 → 3.4.7 Minor PR

Open 2 days ago 2 comments

chore(deps): bump dompurify from 3.4.6 to 3.4.7 in the minor-and-patch group

JBChangelogs/JailbreakChangelogs #296

3.4.6 → 3.4.7 Patch PR

Closed 3 days ago 1 comment

⬆️(deps): Bump the minor-and-patch group across 1 directory with 9 updates

convertivio-design/dashy1-1 #16

3.3.2 → 3.4.7 Minor PR

Open 3 days ago 2 comments

chore(deps): bump the dependencies group across 1 directory with 46 updates

invenhost/InvenTree #348

3.4.0 → 3.4.5 Patch PR

Closed 3 days ago 2 comments

chore(deps): bump dompurify from 3.4.5 to 3.4.7 in /booklore-ui

opensourcefan/Booklore3.0 #115

3.4.5 → 3.4.7 Patch PR

Open 3 days ago 2 comments

chore(deps): bump dompurify from 3.3.3 to 3.4.7

habibjutt/nextjs_boilerplate #178

3.3.3 → 3.4.7 Minor PR

Open 4 days ago 2 comments

chore(deps): bump the npm_and_yarn group across 7 directories with 8 updates

pellera9/opencode #2

3.3.1 → 3.4.0 Minor PR

Closed 4 days ago 4 comments

Bump dompurify from 3.4.6 to 3.4.7

cjmalloy/jasper-ui #1168

3.4.6 → 3.4.7 Patch PR

Open 4 days ago 2 comments

chore(deps): update dompurify requirement from ^3.3.1 to ^3.4.7 in /superset-frontend/plugins/legacy-preset-chart-nvd3

Jackblanket847/superset #139

^3.3.1 → ^3.4.7 Minor PR

Open 4 days ago 1 comment

chore(deps): bump dompurify from 3.3.0 to 3.4.7

and3rn3t/homehub #195

3.3.0 → 3.4.7 Minor PR

Open 4 days ago 3 comments

chore(deps): bump the patch-updates group across 1 directory with 77 updates

dculussoftwares/dculus-forms #48

3.4.5 → 3.4.7 Patch PR

Closed 5 days ago 1 comment

chore(deps): bump the production-dependencies group across 1 directory with 2 updates

Shironex/shiroani #127

3.4.5 → 3.4.7 Patch PR

Closed 5 days ago 1 comment

Bump the minor-and-patch group across 1 directory with 20 updates

opencast/admin-interface #1615

3.4.0 → 3.4.7 Patch PR

Open 5 days ago 5 comments

Bump dompurify from 3.4.5 to 3.4.7 in /client-v3

dreamteamprod/DigiScript #1101

3.4.5 → 3.4.7 Patch PR

Open 5 days ago 5 comments

chore(deps): update dompurify requirement from ^3.3.1 to ^3.4.6 in /superset-frontend/plugins/legacy-preset-chart-nvd3

pinterest/superset #309

^3.3.1 → ^3.4.6 Minor PR

Closed 5 days ago 2 comments

chore(deps): bump the frontend-deps group across 1 directory with 46 updates

phrimm136/dante-planner #168

3.3.3 → 3.4.6 Minor PR

Open 5 days ago 1 comment

Bump the production group with 6 updates

alveusgg/alveusgg #2142

3.4.3 → 3.4.5 Patch PR

Open 5 days ago 1 comment

Bump the npm_and_yarn group across 5 directories with 25 updates

imagelessthought/overleaf #32

3.2.4 → 3.4.0 Minor PR

Closed 5 days ago 1 comment

Bump the dependencies group with 4 updates

quisido/quisi.do #437

3.4.5 → 3.4.6 Patch PR

Closed 5 days ago 2 comments

chore(deps): update dompurify requirement from ^3.4.5 to ^3.4.6 in /superset-frontend/plugins/legacy-preset-chart-nvd3

kaitogoto7/superset #88

^3.4.5 → ^3.4.6 Patch PR

Closed 5 days ago 2 comments

chore(deps): bump dompurify from 3.3.1 to 3.4.6 in /desktop/workbench

AbstergoSweden/HQE-Workbench #179

3.3.1 → 3.4.6 Minor PR

Open 5 days ago 2 comments

Update dompurify requirement from ^3.3.0 to ^3.4.6 in /superset-frontend/plugins/legacy-preset-chart-nvd3

Ex057/Martbase #135

^3.3.0 → ^3.4.6 Minor PR

Open 5 days ago 1 comment

chore(deps): bump the npm_and_yarn group across 3 directories with 7 updates

hirehamir/posthog #36

3.2.6 → 3.4.0 Minor PR

Open 5 days ago 1 comment

chore(deps): bump dompurify from 3.4.5 to 3.4.6 in the production-dependencies group

RackulaLives/Rackula #1750

3.4.5 → 3.4.6 Patch PR

Closed 5 days ago 1 comment

chore(deps)(deps): bump dompurify from 3.4.1 to 3.4.5

BBXtreme/aquadock-crm-v5 #107

3.4.1 → 3.4.5 Patch PR

Open 6 days ago 2 comments

build(deps): bump the dependencies group with 28 updates

MarceloEyer/djzeneyer #566

3.4.2 → 3.4.5 Patch PR

Open 6 days ago 4 comments

chore(deps)(deps): bump the js-minor-patch group across 1 directory with 4 updates

mickyarun/bodhiorchard #156

3.4.2 → 3.4.5 Patch PR

Open 6 days ago 1 comment

chore(deps): bump dompurify from 3.4.2 to 3.4.5

axpdev-lab/aeroftp #245

3.4.2 → 3.4.5 Patch PR

Open 7 days ago 3 comments

chore(deps): bump the frontend-minor-patch group across 1 directory with 17 updates

seheart/raven #112

3.4.0 → 3.4.5 Patch PR

Closed 7 days ago 2 comments

chore(deps): bump the production-dependencies group across 1 directory with 30 updates

maniczko/audioRecorder #919

3.4.3 → 3.4.5 Patch PR

Open 7 days ago 4 comments

Package Details

Name:	`dompurify`
Ecosystem:	npm
PURL Type:	npm
Package URL:	`pkg:npm/dompurify`
JSON API:	View JSON

Security Advisories

17

Active advisories

CRITICAL 2

HIGH 2

MODERATE 13

View All npm Advisories

Package Information

Description:

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

Repository:	https://github.com/cure53/DOMPurify
Homepage:	https://github.com/cure53/DOMPurify
Latest Release:	`3.2.6` about 1 year ago
Dependent Repos:	56,633
Dependent Packages:	1,705
Downloads:	43,072,032
Ranking:	Top 0.1284% by dependent repos Top 0.0589% by downloads Top 0.0449% by dependent pkgs

PR Status

Open 2,724 (51.4%)

Merged 269 (5.1%)

Closed 2,059 (38.9%)

PR Types

Major 498 (9.4%)

Minor 2,307 (43.5%)

Patch 2,209 (41.7%)

Removal 1 (0.0%)

dompurify

Security Advisories

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

DOMPurify allows Cross-site Scripting (XSS)

DOMPurify ADD_ATTR predicate skips URI validation

Cross-Site Scripting in dompurify

DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation

Recent PRs

Package Details

Security Advisories

17

Package Information

PR Status

PR Types

`dompurify`