chore(deps): update all non-major dependencies

[github-actions]

This PR contains the following updates:

Package Updates Summary

Type	Count
📦 NPM Packages	2
Total	2

📦 npm Dependencies

2 packages will be updated

Package	Change	Age	Adoption	Passing	Confidence
dompurify (source)	3.3.3 -> 3.4.2
better-dx (source)	0.2.7 -> 0.2.12

---

Release Notes

cure53/DOMPurify (dompurify)

3.3.3 -> 3.4.2

3.4.2

Compare Source

• Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks nelstrom
• Fixed an issue with source maps referring to non-existing files, thanks cmdcolin
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

Released by cure53 on 4/30/2026

3.4.1

Compare Source

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests coveri...

[View full release notes]

Released by cure53 on 4/21/2026

3.4.0

Compare Source

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks 1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks christos-eth
• Fixed an issue ...

[View full release notes]

Released by cure53 on 4/14/2026

stacksjs/better-dx (better-dx)

0.2.7 -> 0.2.12

v0.2.12

Compare Source

Released by github-actions[bot] on 5/2/2026

v0.2.8

Compare Source

Released by github-actions[bot] on 5/1/2026

---

📊 Package Statistics

• dompurify: 37,286,840 weekly downloads
• better-dx: 63,630 weekly downloads

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Buddy 🤖

[netlify]

❌ Deploy Preview for ts-validation failed. Why did it fail? →

Name	Link
🔨 Latest commit	518d27b
🔍 Latest deploy log	https://app.netlify.com/projects/ts-validation/deploys/69f6233af9c2000008b73473