Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

About the security vulnerability of dompurify #3825

Closed
frontHu opened this issue Feb 18, 2025 · 2 comments
Closed

About the security vulnerability of dompurify #3825

frontHu opened this issue Feb 18, 2025 · 2 comments

Comments

@frontHu
Copy link

frontHu commented Feb 18, 2025

I use the fixed version 0.10.2 of html2pdf.js, but the security software scanned and found that [email protected], which this version depends on, has a security vulnerability. Do I need to upgrade dompurify to the latest version?
@rjimenezda
Copy link

@frontHu There is no breaking change documented on dompurify v3 except for losing Internet Explorer support. Depending on your package manager, you might be able to force dompurify v3 to be used on jsPDF, and test your workflow. On yarn, this is done with "overrides", I'm not currently familiar with other package managers.

I'm assuming that jsPDF is not willing to upgrade to v3 because it seems to work with Internet Explorer, and it would require a major release if it suddenly drops its support.

@rjimenezda rjimenezda mentioned this issue Feb 18, 2025
Closed
@HackbrettXXX
Copy link
Collaborator

Duplicate of #3819

@HackbrettXXX HackbrettXXX marked this as a duplicate of #3819 Feb 18, 2025
@billhimmelsbach billhimmelsbach mentioned this issue Mar 15, 2025
Merged
billhimmelsbach added a commit to cfpb/hmda-frontend that referenced this issue Mar 20, 2025
@billhimmelsbach
Merge pull request #2440 from cfpb/2439-high-and-moderate-security-fixes
5e15050 
chore(deps): resolve outstanding high and moderate security vulnerabilities

Let's fix up the remaining high and moderate severity vulnerabilities. This goes through and cherry-picks commits from dependabot PRs and combines it with a few that had to be manually fixed.

🚀 Currently on Dev as v3.2.3h 🚀

## Changes

### Dependabot cherry-picked commits
- micromatch from 4.0.7 to 4.0.8 
- nanoid from 3.3.7 to 3.3.8 
- path-to-regexp from 1.8.0 to 1.9.0 
- @babel/runtime from 7.24.8 to 7.26.10 
- vite from 5.4.7 to 5.4.12 
- elliptic from 6.5.6 to 6.6.1 

### Manual dependency bumps
- chore(deps): resolve esbuild to 0.25.0
  - see vitejs/vite#19412 for explanation
- chore(deps): resolve dompurify to 3.2.4
  - see parallax/jsPDF#3825 for explanation
- chore(deps): resolve canvg to 3.0.11
  - see parallax/jsPDF#3834 for explanation
  - bumping this to 3.0.11 won't get rid of the dependabot alert, but does fix the vulnerability. We'll wait for [the jspdf patch](parallax/jsPDF#3834).

## Testing

1. Do the tests still pass on Dev?
_Looks like only the expected tests to fail on Dev are failing_
![Screenshot 2025-03-17 at 5 24 30 PM](https://github.com/user-attachments/assets/26695629-cf42-463d-8eae-93ac2525d924)

2. Does the site still behave normally?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rjimenezda @HackbrettXXX @frontHu