Skip to content

[Snyk] Upgrade isomorphic-dompurify from 2.36.0 to 3.0.0#45

Open
erpranavjoshi wants to merge 1 commit intomainfrom
snyk-upgrade-a6c1bc1f6fa00e4a19b379570c8180b9
Open

[Snyk] Upgrade isomorphic-dompurify from 2.36.0 to 3.0.0#45
erpranavjoshi wants to merge 1 commit intomainfrom
snyk-upgrade-a6c1bc1f6fa00e4a19b379570c8180b9

Conversation

@erpranavjoshi
Copy link

@erpranavjoshi erpranavjoshi commented Mar 22, 2026

snyk-top-banner

Snyk has created this PR to upgrade isomorphic-dompurify from 2.36.0 to 3.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 4 versions ahead of your current version.

  • The recommended version was released a month ago.

Release notes
Package name: isomorphic-dompurify
  • 3.0.0 - 2026-02-21

    isomorphic-dompurify v3.0.0

    ESM Support

    The library now ships proper ESM alongside CommonJS. Both import and require work out of the box with correct module resolution.

    // ESM — now works natively
    import DOMPurify, { sanitize } from "isomorphic-dompurify";

    // CJS — still works
    const DOMPurify = require("isomorphic-dompurify");

    Memory Leak Fix for Long-Running Server Processes

    New clearWindow() export that closes the internal jsdom window and creates a fresh one, preventing unbounded memory growth and progressive slowdown in long-running Node.js processes (#368).

    import { sanitize, clearWindow } from "isomorphic-dompurify";

    // Call clearWindow() when you want to release accumulated DOM state,
    // e.g. periodically, after a batch, or per-request in a server:
    app.use((req, res, next) => {
    res.on("finish", () => clearWindow());
    next();
    });

    Note: clearWindow() is a no-op in the browser build (no jsdom to manage). Any hooks or config set via addHook/setConfig will need to be re-applied after calling it.

    Breaking Changes

    • Named exports are now available. sanitize, addHook, removeHook, removeHooks, removeAllHooks, setConfig, clearConfig, isValidAttribute, isSupported, version, and removed are all exported directly.
    • global.DOMPurify singleton removed. The library no longer writes to global.DOMPurify. Module caching provides singleton behavior in both ESM and CJS. This also fixes a security concern where malicious code could preempt the global before the module loaded (#324).
    • Build output moved to dist/. Entry points are now dist/index.js (CJS), dist/index.mjs (ESM), dist/browser.js (CJS), dist/browser.mjs (ESM). The exports map handles this automatically — no changes needed for consumers using standard imports.
    • Type definitions are auto-generated. The hand-written index.d.ts using export = DOMPurify is replaced by generated .d.ts and .d.mts files with proper export default and named exports.
    • Node.js version constraint tightened. Now requires ^20.19.0 || ^22.12.0 || >=24.0.0 to match jsdom 28's requirements. Node 21.x, 23.x, and 22.0–22.11 are no longer supported.

    Issues Fixed

    • #368 — Memory leak and progressive slowdown in long-running Node.js processes
    • #163 — ESM support
    • #324 — Security concern with global.DOMPurify
    • #353lru-cache ESM resolution errors in Nuxt/Nitro builds
    • #350 — Build error with Astro + Cloudflare adapter
    • #203 — Build error in Angular Universal

    Issues Mitigated

    • #330, #349createWindow TypeError in Next.js 15 (jsdom is now external, reducing bundler conflicts)
    • #356webidl-conversions error in Node.js 22 + Next.js
    • #54canvas resolution error in serverless environments

    Internal Changes

    • Source rewritten in TypeScript
    • Build toolchain switched from terser to tsup (dual CJS/ESM output via esbuild)
    • Linting added via Biome with lefthook pre-commit hooks and CI enforcement
    • CI updated to actions/checkout@v4, actions/setup-node@v4, pnpm/action-setup@v4
    • Tests converted to TypeScript with expanded coverage of the wrapper API
    • jsdom updated to 28.1.0
    • Validated against Astro, Next.js, Nuxt, React, and SvelteKit via isomorphic-dompurify-playgrounds
  • 3.0.0-rc.3 - 2026-02-17

    What's Changed

    • chore(deps): bump jsdom from 28.0.0 to 28.1.0
    • chore: add Biome linting, lefthook pre-commit hooks, and CI lint step
    • docs: Added Playgrounds section to the readme

    Full Changelog: v3.0.0-rc.2...v3.0.0-rc.3

  • 3.0.0-rc.2 - 2026-02-07
  • 3.0.0-rc.1 - 2026-02-07
  • 2.36.0 - 2026-02-07

    Changelog

    • Updated jsdom.

    See the complete changelog for more details.

    Release

    2.36.0

from isomorphic-dompurify GitHub release notes

Important

  • Warning: This PR contains a major version upgrade, and may be a breaking change.
  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
feat: upgrade isomorphic-dompurify from 2.36.0 to 3.0.0
66176d3 
Snyk has created this PR to upgrade isomorphic-dompurify from 2.36.0 to 3.0.0.

See this package in npm:
isomorphic-dompurify

See this project in Snyk:
https://app.snyk.io/org/contentstack-devex/project/840d6309-d3d1-4570-a074-6709a8b30c8b?utm_source=github&utm_medium=referral&page=upgrade-pr
@erpranavjoshi erpranavjoshi requested a review from a team as a code owner March 22, 2026 06:36
@github-actions
Copy link

github-actions bot commented Mar 22, 2026

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type Count (with fixes) Without fixes Threshold Result
🔴 Critical Severity 0 0 10 ✅ Passed
🟠 High Severity 0 0 25 ✅ Passed
🟡 Medium Severity 0 20 500 ✅ Passed
🔵 Low Severity 0 0 1000 ✅ Passed

⏱️ SLA Breach Summary

⚠️ Warning: The following vulnerabilities have exceeded their SLA thresholds (days since publication).

Severity Breaches (with fixes) Breaches (no fixes) SLA Threshold (with/no fixes) Status
🔴 Critical 0 0 15 / 30 days ✅ Passed
🟠 High 0 0 30 / 120 days ✅ Passed
🟡 Medium 0 18 90 / 365 days ⚠️ Warning
🔵 Low 0 0 180 / 365 days ✅ Passed

ℹ️ Vulnerabilities Without Available Fixes (Informational Only)

The following vulnerabilities were detected but do not have fixes available (no upgrade or patch). These are excluded from failure thresholds:

  • Critical without fixes: 0
  • High without fixes: 0
  • Medium without fixes: 20
  • Low without fixes: 0

⚠️ BUILD PASSED WITH WARNINGS - SLA breaches detected for issues without available fixes

Consider reviewing these vulnerabilities when fixes become available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@erpranavjoshi @snyk-bot