Sourced from dompurify's releases.

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

DOMPurify 3.2.6

• Fixed several typos and removed clutter from our documentation, thanks @​Rotzbua
• Added matrix: as an allowed URI scheme, thanks @​kleinesfilmroellchen
• Added better config hardening against prototype pollution, thanks @​EffectRenan
• Added better handling of attribute removal, thanks @​michalnieruchalski-tiugo
• Added better configuration for aggressive mXSS scrubbing behavior, thanks @​BryanValverdeU
• Removed the script that caused the fake entry CVE-2025-48050

DOMPurify 3.2.5

• Added a check to the mXSS detection regex to be more strict, thanks @​masatokinugawa
• Added ESM type imports in source, removes patch function, thanks @​donmccurdy
• Added script to verify various TypeScript configurations, thanks @​reduckted
• Added more modern browsers to the Karma launchers list
• Added Node 23.x to tested runtimes, removed Node 17.x
• Fixed the generation of source maps, thanks @​reduckted
• Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @​hhk-png
• Fixed a few typos in the README file

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell

... (truncated)

• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
• Additional commits viewable in compare view

Sourced from isomorphic-dompurify's releases.

3.7.1

Bug Fix

• Fixed missing browser type declarations — browser.d.ts and browser.d.mts were not included in the 3.7.0 published package due to a race condition in the build process. This caused TS7016: Could not find a declaration file for module 'isomorphic-dompurify' errors in tsgo and TypeScript 6 when resolving through the default (browser) exports condition. (#411)

Thanks to @​asterikx and @​ElPrudi for their help with the issue.

3.7.0: TypeScript 6 compatibility

TypeScript 6 compatibility fixes:

• Add explicit type annotation for sanitize to satisfy TS6
• Silence baseUrl deprecation warning from tsup dts build in TS6

Dependency updates:

• bump typescript from 5.9.3 to 6.0.2
• bump vitest from 4.1.0 to 4.1.1

3.6.0: Updated dependencies

Dependency updates:

• bump jsdom from 29.0.0 to 29.0.1
• bump @​types/jsdom from 28.0.0 to 28.0.1
• bump @​biomejs/biome from 2.4.7 to 2.4.8

3.5.1

Fix outdated build artifacts published in 3.5.0.

3.5.0: Add factory function support

What's new

Features

• The default export is now callable as a factory function, matching the dompurify API — DOMPurify(window) now returns a new DOMPurify instance bound to the given window (#405)

Bug fixes

• Fixed isEqualNode returning false when comparing RETURN_DOM + FORCE_BODY output against nodes from a separate JSDOM context (#405)

Thanks to @​probablykasper for helping with this release.

3.4.0: jsdom update, performance improvement and node 22 requirement update

What's Changed

• Upgraded jsdom from 28 to 29, which fixes performance degradation in long-running processes; note that heap memory still grows over time without calling clearWindow()
• Bumped minimum Node.js 22 requirement from 22.12.0 to 22.13.0 (LTS)
• Added format script (biome format --write) and pre-commit hook
• Updated dev dependencies (biome, vitest)

3.3.0: Updated dependencies

What's Changed

Full Changelog: kkomelin/isomorphic-dompurify@3.2.0...3.3.0

3.2.0: Updated dependencies

... (truncated)

• 11315f4 chore: Bumped project version.
• 97770c7 fix: prevent race condition dropping browser type declarations
• 8a06c60 chore: Incremented project version.
• 51ebc9d fix: silence baseUrl deprecation warning from tsup dts build in TS6
• b0fab7e chore: Updated deps.
• 0e86f89 chore(deps-dev): bump typescript from 5.9.3 to 6.0.2
• a028523 fix: add explicit type annotation for sanitize to satisfy TS6
• cb38b24 chore(deps-dev): bump vitest from 4.1.0 to 4.1.1
• 009574a chore: Updated deps. Incremented project version.
• 21b362d chore(deps): bump jsdom from 29.0.0 to 29.0.1
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.