Skip to content

dompurify version update#3320

Open
jwkk1 wants to merge 1 commit into
nhn:masterfrom
jwkk1:master
Open

dompurify version update#3320
jwkk1 wants to merge 1 commit into
nhn:masterfrom
jwkk1:master

Conversation

@jwkk1

@jwkk1 jwkk1 commented Nov 13, 2025

Copy link
Copy Markdown

address known prototype pollution and XSS bypass
vulnerabilities

@aedart

aedart commented Apr 24, 2026

Copy link
Copy Markdown

I too could really use this patch. Also, if its not too demanding, perhaps consider using peerDependencies to allow developers update nested dependencies?
In any case, a patch is really needed in this case. The vulnerabilities keep piling up for projects that "embed" dependencies. It's difficult (or sometimes impossible) to force use up-to-date dependencies that are included in the distributed files.

@ktecho

ktecho commented May 5, 2026

Copy link
Copy Markdown

@jwkk1 v3.3.0 now has at least 6 known vulnerabilities. Do you know of a fork or branch that is maintained with this kind of security updates?

CC: @aedart

@aedart

aedart commented May 5, 2026

Copy link
Copy Markdown

@ktecho sadly I have no knowledge of any good forks. In my case, I'm lucky that the editor / viewer that I use is safeguarded by authentication, and the server-side performs a rather strict markdown cleaning. Other developers might not be that lucky... After consulting myself with some of the public available AIs, the best solution is to migrate to another markdown-editor / viewer. Mildown might be a good candidate.

Of course, if anyone has the time and skill, creating a workable and up-to-date fork of tui's editor, would be ideal to avoid introducing breaking changes. I would really be appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants