[Snyk] Upgrade isomorphic-dompurify from 2.36.0 to 3.0.0

[sunil-lakshman]

Snyk has created this PR to upgrade isomorphic-dompurify from 2.36.0 to 3.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 4 versions ahead of your current version.

• The recommended version was released a month ago.

Release notes

Package name: isomorphic-dompurify

• 3.0.0 - 2026-02-21
  

  isomorphic-dompurify v3.0.0

  ESM Support

  The library now ships proper ESM alongside CommonJS. Both import and require work out of the box with correct module resolution.

  // ESM — now works natively
  import DOMPurify, { sanitize } from "isomorphic-dompurify";

  // CJS — still works
  const DOMPurify = require("isomorphic-dompurify");

  Memory Leak Fix for Long-Running Server Processes

  New clearWindow() export that closes the internal jsdom window and creates a fresh one, preventing unbounded memory growth and progressive slowdown in long-running Node.js processes (#368).

  import { sanitize, clearWindow } from "isomorphic-dompurify";

  // Call clearWindow() when you want to release accumulated DOM state,
  // e.g. periodically, after a batch, or per-request in a server:
  app.use((req, res, next) => {
  res.on("finish", () => clearWindow());
  next();
  });

  Note: clearWindow() is a no-op in the browser build (no jsdom to manage). Any hooks or config set via addHook/setConfig will need to be re-applied after calling it.

  Breaking Changes

  • Named exports are now available. sanitize, addHook, removeHook, removeHooks, removeAllHooks, setConfig, clearConfig, isValidAttribute, isSupported, version, and removed are all exported directly.
  • global.DOMPurify singleton removed. The library no longer writes to global.DOMPurify. Module caching provides singleton behavior in both ESM and CJS. This also fixes a security concern where malicious code could preempt the global before the module loaded (#324).
  • Build output moved to dist/. Entry points are now dist/index.js (CJS), dist/index.mjs (ESM), dist/browser.js (CJS), dist/browser.mjs (ESM). The exports map handles this automatically — no changes needed for consumers using standard imports.
  • Type definitions are auto-generated. The hand-written index.d.ts using export = DOMPurify is replaced by generated .d.ts and .d.mts files with proper export default and named exports.
  • Node.js version constraint tightened. Now requires ^20.19.0 || ^22.12.0 || >=24.0.0 to match jsdom 28's requirements. Node 21.x, 23.x, and 22.0–22.11 are no longer supported.

  Issues Fixed

  • #368 — Memory leak and progressive slowdown in long-running Node.js processes
  • #163 — ESM support
  • #324 — Security concern with global.DOMPurify
  • #353 — lru-cache ESM resolution errors in Nuxt/Nitro builds
  • #350 — Build error with Astro + Cloudflare adapter
  • #203 — Build error in Angular Universal

  Issues Mitigated

  • #330, #349 — createWindow TypeError in Next.js 15 (jsdom is now external, reducing bundler conflicts)
  • #356 — webidl-conversions error in Node.js 22 + Next.js
  • #54 — canvas resolution error in serverless environments

  Internal Changes

  • Source rewritten in TypeScript
  • Build toolchain switched from terser to tsup (dual CJS/ESM output via esbuild)
  • Linting added via Biome with lefthook pre-commit hooks and CI enforcement
  • CI updated to actions/checkout@v4, actions/setup-node@v4, pnpm/action-setup@v4
  • Tests converted to TypeScript with expanded coverage of the wrapper API
  • jsdom updated to 28.1.0
  • Validated against Astro, Next.js, Nuxt, React, and SvelteKit via isomorphic-dompurify-playgrounds
• 3.0.0-rc.3 - 2026-02-17
  

  What's Changed

  • chore(deps): bump jsdom from 28.0.0 to 28.1.0
  • chore: add Biome linting, lefthook pre-commit hooks, and CI lint step
  • docs: Added Playgrounds section to the readme

  Full Changelog: v3.0.0-rc.2...v3.0.0-rc.3

• 3.0.0-rc.2 - 2026-02-07
  

  isomorphic-dompurify v3.0.0-rc.2

  Memory Leak Fix for Long-Running Server Processes

  New clearWindow() export that closes the internal jsdom window and creates a fresh one, preventing unbounded memory growth and progressive slowdown in long-running Node.js processes (#368).

  import { sanitize, clearWindow } from "isomorphic-dompurify";

  // Call clearWindow() when you want to release accumulated DOM state,
  // e.g. periodically, after a batch, or per-request in a server:
  app.use((req, res, next) => {
  res.on("finish", () => clearWindow());
  next();
  });

  Note: clearWindow() is a no-op in the browser build (no jsdom to manage). Any hooks or config set via addHook/setConfig will need to be re-applied after calling it.

  ESM Support

  The library now ships proper ESM alongside CommonJS. Both import and require work out of the box with correct module resolution.

  // ESM — now works natively
  import DOMPurify, { sanitize } from "isomorphic-dompurify";

  // CJS — still works
  const DOMPurify = require("isomorphic-dompurify");

  Breaking Changes

  • Named exports are now available. sanitize, addHook, removeHook, removeHooks, removeAllHooks, setConfig, clearConfig, isValidAttribute, isSupported, version, and removed are all exported directly.
  • global.DOMPurify singleton removed. The library no longer writes to global.DOMPurify. Module caching provides singleton behavior in both ESM and CJS. This also fixes a security concern where malicious code could preempt the global before the module loaded (#324).
  • Build output moved to dist/. Entry points are now dist/index.js (CJS), dist/index.mjs (ESM), dist/browser.js (CJS), dist/browser.mjs (ESM). The exports map handles this automatically — no changes needed for consumers using standard imports.
  • Type definitions are auto-generated. The hand-written index.d.ts using export = DOMPurify is replaced by generated .d.ts and .d.mts files with proper export default and named exports.
  • Node.js version constraint tightened. Now requires ^20.19.0 || ^22.12.0 || >=24.0.0 to match jsdom 28's requirements. Node 21.x, 23.x, and 22.0–22.11 are no longer allowed.

  Issues Fixed

  • #368 — Memory leak and progressive slowdown in long-running Node.js processes
  • #163 — ESM support
  • #324 — Security concern with global.DOMPurify
  • #353 — lru-cache ESM resolution errors in Nuxt/Nitro builds
  • #350 — Build error with Astro + Cloudflare adapter
  • #203 — Build error in Angular Universal

  Issues Mitigated

  • #330, #349 — createWindow TypeError in Next.js 15 (jsdom is now external, reducing bundler conflicts)
  • #356 — webidl-conversions error in Node.js 22 + Next.js
  • #54 — canvas resolution error in serverless environments

  Internal Changes

  • Source rewritten in TypeScript
  • Build toolchain switched from terser to tsup (dual CJS/ESM output via esbuild)
  • CI updated to actions/checkout@v4, actions/setup-node@v4, pnpm/action-setup@v4
  • Tests converted to TypeScript with expanded coverage of the wrapper API
  • Validated against Astro, Next.js, Nuxt, React, and SvelteKit via isomorphic-dompurify-playgrounds
• 3.0.0-rc.1 - 2026-02-07
• 2.36.0 - 2026-02-07
  

  Changelog

  • Updated jsdom.

  See the complete changelog for more details.

  Release

  2.36.0

from isomorphic-dompurify GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	0	0	25	✅ Passed
🟡 Medium Severity	0	20	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

⚠️ Warning: The following vulnerabilities have exceeded their SLA thresholds (days since publication).

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	0	18	90 / 365 days	⚠️ Warning
🔵 Low	0	0	180 / 365 days	✅ Passed

ℹ️ Vulnerabilities Without Available Fixes (Informational Only)

The following vulnerabilities were detected but do not have fixes available (no upgrade or patch). These are excluded from failure thresholds:

• Critical without fixes: 0
• High without fixes: 0
• Medium without fixes: 20
• Low without fixes: 0

⚠️ BUILD PASSED WITH WARNINGS - SLA breaches detected for issues without available fixes

Consider reviewing these vulnerabilities when fixes become available.