Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 1 commit
- 28 files changed
- 9 contributors
Commits on Apr 14, 2026
-
Getting 3.x branch ready for 3.4.0 release (#1250)
* build(deps): bump @tootallnate/once and jsdom (#1214) Removes [@tootallnate/once](https://github.com/TooTallNate/once). It's no longer used after updating ancestor dependency [jsdom](https://github.com/jsdom/jsdom). These dependencies need to be updated together. Removes `@tootallnate/once` Updates `jsdom` from 20.0.3 to 28.1.0 - [Release notes](https://github.com/jsdom/jsdom/releases) - [Changelog](https://github.com/jsdom/jsdom/blob/main/Changelog.md) - [Commits](jsdom/jsdom@20.0.3...28.1.0) --- updated-dependencies: - dependency-name: "@tootallnate/once" dependency-version: dependency-type: indirect - dependency-name: jsdom dependency-version: 28.1.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump serialize-javascript and @rollup/plugin-terser (#1213) Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) to 7.0.4 and updates ancestor dependency [@rollup/plugin-terser](https://github.com/rollup/plugins/tree/HEAD/packages/terser). These dependencies need to be updated together. Updates `serialize-javascript` from 6.0.2 to 7.0.4 - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v6.0.2...v7.0.4) Updates `@rollup/plugin-terser` from 0.4.4 to 1.0.0 - [Changelog](https://github.com/rollup/plugins/blob/master/packages/terser/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/beep-v1.0.0/packages/terser) --- updated-dependencies: - dependency-name: serialize-javascript dependency-version: 7.0.4 dependency-type: indirect - dependency-name: "@rollup/plugin-terser" dependency-version: 1.0.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: Fixed a problem with the type defition patcher after Node version bump * build(deps-dev): bump undici from 7.23.0 to 7.24.1 (#1216) Bumps [undici](https://github.com/nodejs/undici) from 7.23.0 to 7.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.23.0...v7.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 7.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump flatted from 3.4.1 to 3.4.2 (#1218) Bumps [flatted](https://github.com/WebReflection/flatted) from 3.4.1 to 3.4.2. - [Commits](WebReflection/flatted@v3.4.1...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * test: Added more browser launchers to stay up-to-date * test: Testing whether the Browser Stack "latest" labels work * test: Expanded range of tested Node versions into both directions * fix: Removed Node 26 test target again, not available yet * fix: Removed Node 16 test target as it breaks * Update README.md (#1222) * build(deps-dev): bump serialize-javascript from 7.0.4 to 7.0.5 (#1223) Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) from 7.0.4 to 7.0.5. - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v7.0.4...v7.0.5) --- updated-dependencies: - dependency-name: serialize-javascript dependency-version: 7.0.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump lodash from 4.17.23 to 4.18.1 (#1228) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump lodash-es from 4.17.23 to 4.18.1 (#1225) Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash-es dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Create scorecard.yml * fix: FORBID_TAGS must win over ADD_TAGS function predicate (#1230) Mirrors the FORBID_ATTR early-exit pattern (c361baa, line 1214) for FORBID_TAGS. When EXTRA_ELEMENT_HANDLING.tagCheck is a function that returns true, the short-circuit evaluation previously skipped the FORBID_TAGS check, allowing forbidden elements through. Moves FORBID_TAGS[tagName] to an OR at the top of the condition so the removal block is always entered for forbidden tags regardless of the tagCheck predicate result. * Update build-and-test.yml * [StepSecurity] Apply security best practices (#1231) Signed-off-by: StepSecurity Bot <[email protected]> * build(deps-dev): bump jsdom from 28.1.0 to 29.0.2 (#1240) Bumps [jsdom](https://github.com/jsdom/jsdom) from 28.1.0 to 29.0.2. - [Release notes](https://github.com/jsdom/jsdom/releases) - [Commits](jsdom/jsdom@v28.1.0...v29.0.2) --- updated-dependencies: - dependency-name: jsdom dependency-version: 29.0.2 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump rollup-plugin-dts from 6.4.0 to 6.4.1 (#1239) Bumps [rollup-plugin-dts](https://github.com/Swatinem/rollup-plugin-dts) from 6.4.0 to 6.4.1. - [Changelog](https://github.com/Swatinem/rollup-plugin-dts/blob/master/CHANGELOG.md) - [Commits](Swatinem/rollup-plugin-dts@v6.4.0...v6.4.1) --- updated-dependencies: - dependency-name: rollup-plugin-dts dependency-version: 6.4.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump cross-env from 7.0.3 to 10.1.0 (#1238) Bumps [cross-env](https://github.com/kentcdodds/cross-env) from 7.0.3 to 10.1.0. - [Release notes](https://github.com/kentcdodds/cross-env/releases) - [Changelog](https://github.com/kentcdodds/cross-env/blob/main/CHANGELOG.md) - [Commits](kentcdodds/cross-env@v7.0.3...v10.1.0) --- updated-dependencies: - dependency-name: cross-env dependency-version: 10.1.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/upload-artifact from 4.6.1 to 7.0.1 (#1237) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.1 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@4cec3d8...043fb46) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump @rollup/plugin-node-resolve from 15.3.1 to 16.0.3 (#1236) Bumps [@rollup/plugin-node-resolve](https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve) from 15.3.1 to 16.0.3. - [Changelog](https://github.com/rollup/plugins/blob/master/packages/node-resolve/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/node-resolve-v16.0.3/packages/node-resolve) --- updated-dependencies: - dependency-name: "@rollup/plugin-node-resolve" dependency-version: 16.0.3 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 (#1235) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.1 to 2.4.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@f49aabe...4eaacf0) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/checkout from 4.2.2 to 6.0.2 (#1234) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.2.2...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump @babel/preset-env from 7.29.0 to 7.29.2 (#1233) Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) from 7.29.0 to 7.29.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.2/packages/babel-preset-env) --- updated-dependencies: - dependency-name: "@babel/preset-env" dependency-version: 7.29.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#1232) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3.35.1...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Added CONTRIBUTIONS.md * chore: Regenerated dist versions * fix: added osv-scanner.toml to ignore flagged deps * chore: update build-and-test.yml to get rid of a warning * docs: update README.md with OSF results * docs: update build-and-test.yml name * docs: update README.md badges * test: removed nine really old browsers from karma tests * fix: apply SAFE_FOR_TEMPLATES scrub in RETURN_DOM path (#1241) The RETURN_DOM path returns before the final template expression scrub, allowing split mustache expressions to reconstruct after element removal. Normalize adjacent text nodes and scrub body before building the return node. Co-authored-by: Developer <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> * fix: prevent ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls (#1242) When sanitize() is called with ADD_ATTR or ADD_TAGS as a function, the function reference is stored in EXTRA_ELEMENT_HANDLING. A subsequent call that passes ADD_ATTR/ADD_TAGS as an array did not clear the stored function because objectHasOwnProperty(cfg, 'ADD_ATTR') returned true, skipping the conditional reset. The leaked function is evaluated before URI/tag checks, so a permissive function (returning true) lets dangerous attributes (e.g. javascript: URIs) or forbidden tags (e.g. iframe) through on later calls. Fix: unconditionally reset tagCheck/attributeCheck to null on every _parseConfig() call, then only set them if the current config provides a function. This ensures no cross-call leakage. Includes regression tests for both ADD_ATTR and ADD_TAGS leakage scenarios. * test: reduced number of tested browsers again to be at 24 * Fix mathML attributes (#1243) * test: reducing BS browser array once more to get unstuck * test: temporarily reduced browser test array to four main items :-( * build(deps-dev): bump eslint-config-prettier from 8.10.2 to 10.1.8 (#1244) Bumps [eslint-config-prettier](https://github.com/prettier/eslint-config-prettier) from 8.10.2 to 10.1.8. - [Release notes](https://github.com/prettier/eslint-config-prettier/releases) - [Changelog](https://github.com/prettier/eslint-config-prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/eslint-config-prettier/commits/v10.1.8) --- updated-dependencies: - dependency-name: eslint-config-prettier dependency-version: 10.1.8 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump rollup from 3.30.0 to 4.60.1 (#1246) Bumps [rollup](https://github.com/rollup/rollup) from 3.30.0 to 4.60.1. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v3.30.0...v4.60.1) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.60.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#1249) Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0) --- updated-dependencies: - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * test: carefully expanded array of tested BS browsers again * test: experimenting with new BS config to avoid the freezes test: removed two Safari versions as they might be the cause docs: updated version numbers for upcoming release * test: reverted to old BS config values as they worked better --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: StepSecurity Bot <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: kodareef5 <[email protected]> Co-authored-by: StepSecurity Bot <[email protected]> Co-authored-by: bencalif <[email protected]> Co-authored-by: Developer <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: 1Jesper1 <[email protected]> Co-authored-by: David Oliver <[email protected]>
9 people authoredApr 14, 2026
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 3.3.3...3.4.0