chore(deps): bump the npm_and_yarn group across 3 directories with 9 updates by dependabot[bot] · Pull Request #5 · clyphy/openclaw

dependabot · 2026-05-11T15:42:19Z

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
file-type	`21.3.0`	`21.3.2`
tar	`7.5.9`	`7.5.11`
undici	`7.22.0`	`7.24.0`
yaml	`2.8.2`	`2.8.3`
dompurify	`3.3.1`	`3.4.0`
vite	`7.3.1`	`7.3.2`
music-metadata	`11.12.1`	`11.12.3`

Bumps the npm_and_yarn group with 1 update in the /extensions/zalo directory: undici.
Bumps the npm_and_yarn group with 2 updates in the /ui directory: dompurify and vite.

Updates file-type from 21.3.0 to 21.3.2

Release notes

Sourced from file-type's releases.

v21.3.2

Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v) a155cd7

Fix bound recursive BOM and ID3 detection 370ed91

sindresorhus/file-type@v21.3.1...v21.3.2

v21.3.1

Fix infinite loop in ASF parser on malformed input (GHSA-5v7r-6r5c-r473) 319abf8

sindresorhus/file-type@v21.3.0...v21.3.1

Commits

e18028c 21.3.2
a155cd7 Fix ZIP bomb in known-size ZIP probing
6954817 Harden parser more
370ed91 Fix bound recursive BOM and ID3 detection
d2ecea1 Add a few more safeguards
41fcff5 Update readme
a8f6934 Fix CI
ad5857e 21.3.1
5d2fedf Harden parser
319abf8 Fix infinite loop in ASF parser on malformed input
Additional commits viewable in compare view

Updates tar from 7.5.9 to 7.5.11

Commits

bf776f6 7.5.11
f48b5fa prevent escaping symlinks with drive-relative paths
97cff15 docs: more security info
2b72abc 7.5.10
7bc755d parse root off paths before sanitizing .. parts
c8cb846 update deps
See full diff in compare view

Updates undici from 7.22.0 to 7.24.0

Release notes

Sourced from undici's releases.

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.

GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the upgrade option.

GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.

Affected and patched ranges

CVE-2026-1525: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1528: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2581: affected >= 7.17.0 < 7.24.0, patched 7.24.0

CVE-2026-1527: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2229: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1526: affected 7.0.0 < 7.24.0, patched 7.24.0

References

GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525

NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528

NVD CVE-2026-2581: https://nvd.nist.gov/vuln/detail/CVE-2026-2581

NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527

NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229

NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

v7.23.0

What's Changed

... (truncated)

Commits

07a3906 Bumped v7.24.0 (#4887)
74495c6 fix: reject duplicate content-length and host headers
84235c6 Fix websocket 64-bit length overflow
77594f9 fix: validate upgrade header to prevent CRLF injection
cb79c57 fix: validate server_max_window_bits range in permessage-deflate
4147ce2 Merge commit '2ee00cb3'
2ee00cb fix(websocket): add maxDecompressedMessageSize limit for permessage-deflate
5890c7b fix(deduplicate): stream response chunks to waiting handlers
fbda3c1 Bumped v7.23.0 (#4884)
07276c9 fix: remove unused kSocketPath symbol
Additional commits viewable in compare view

Updates yaml from 2.8.2 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

Add trailingComma ToString option for multiline flow formatting (#670)

Catch stack overflow during node composition (1e84ebb)

Commits

ce14587 2.8.3
1e84ebb fix: Catch stack overflow during node composition
6b24090 ci: Include Prettier check in lint action
9424dee chore: Refresh lockfile
d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
4321509 ci: Drop the branch filter from GitHub PR actions
47207d0 chore: Update docs-slate
5212fae chore: Update docs-slate
See full diff in compare view

Updates dompurify from 3.3.1 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @kodareef5

Fixed several minor problems and typos regarding MathML attributes, thanks @DavidOliver

Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @1Jesper1

Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @bencalif

Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @trace37labs

Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @eddieran

Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @christos-eth

Fixed an issue with USE_PROFILES prototype pollution, thanks @christos-eth

Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @researchatfluidattacks and others

Fixed an issue with closing tags leading to possible mXSS, thanks @frevadiscor

Fixed a problem with the type dentition patcher after Node version bump

Fixed freezing BS runs by reducing the tested browsers array

Bumped several dependencies where possible

Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

DOMPurify 3.3.3

Fixed an engine requirement for Node 20 which caused hiccups, thanks @Rotzbua

DOMPurify 3.3.2

Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters

Fixed a prototype pollution issue when working with custom elements, thanks @christos-eth

Fixed a lenient config parsing in _isValidAttribute, thanks @christos-eth

Bumped and removed several dependencies, thanks @Rotzbua

Fixed the test suite after bumping dependencies, thanks @Rotzbua

Commits

5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
8bcbf73 chore: Preparing 3.3.3 release
5faddd6 fix: engine requirement (#1210)
0f91e3a Update README.md
d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
c3efd48 fix: moved back from jsdom 28 to jsdom 20
988b888 fix: moved back from jsdom 28 to jsdom 20
2726c74 chore: Preparing 3.3.2 release
6202c7e build(deps): bump @tootallnate/once and jsdom (#1204)
302b51d fix: Expanded the regex ever so slightly to also cover script
Additional commits viewable in compare view

Updates vite from 7.3.1 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

Commits

cc383e0 release: v7.3.2
09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
f8103cc fix: check server.fs after stripping query as well (#22160)
19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
See full diff in compare view

Updates music-metadata from 11.12.1 to 11.12.3

Release notes

Sourced from music-metadata's releases.

v11.12.3

Changes

🐛 Bug Fixes

Fix TypeScript decleration inclusion @Borewit (#2608)

📦 NPM release

NPM release: music-metadata@11.12.3

v11.12.2

⚠️ This release is missing TypeScript declarations, use v11.12.3 instead.

Changes

⚠️ Fix CWE-85 by avoiding infinite loop in ASF @Borewit (#2605)

🐛 Bug Fixes

Map .wma and .wmv. extension to AsfParser @Borewit (#2601)

⬆️ Dependencies

Bump @borewit/text-codec from 0.2.1 to 0.2.2 @dependabot (#2602)

📦 NPM release

NPM release: music-metadata@11.12.2

Commits

894a9e8 11.12.3
2beb45c Fix TypeScript decleration inclusion
7f13e8e 11.12.2
7e5be08 Upgrade @biomejs/biome to 2.4.6
318e963 Fix CWE-85 by avoiding infinite loop in ASF
5b7e69c Simplify tsconfig.prod.json by removing unused options
1ffe9bf Bump tar from 7.5.7 to 7.5.11
20f4683 Bump c8 from 10.1.3 to 11.0.0
cfcf152 Bump @borewit/text-codec from 0.2.1 to 0.2.2
2e4e40c Bump minimatch from 9.0.5 to 9.0.9
Additional commits viewable in compare view

Updates @opentelemetry/exporter-prometheus from 0.212.0 to 0.217.0

Release notes

Sourced from @opentelemetry/exporter-prometheus's releases.

experimental/v0.217.0

0.217.0

🚀 Features

feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @pichlermarc

feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @MikeGoldsmith

feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @trentm

Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).

If log_level is not specified, a diagnostic console logger at "info" level will be setup.

An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @trentm

fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @trentm

fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @trentm

fix(configuration): improve handling of enums in generated types #6659 @trentm

fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @trentm

fix(sampler-jaeger-remote): add missing axios dep #6656 @trentm

fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @homanp

experimental/v0.216.0

0.216.0

🚀 Features

feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @ravitheja4531-cell

feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @maryliag

🐛 Bug Fixes

fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @david-luna

fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @brunorodmoreira

fix(instrumentation-xhr): resolve relative URLs before matching ignoreUrls #6551 @Maximiliano-Zeballos

fix(sdk-node): fix setting of ViewOption#name from ConfigurationModel #6620 @trentm

fix(web-common): add limit for timeout #6601 @maryliag

fix(otlp-transformer): pin protobufjs@8.0.1 as protobufjs@8.0.3 is broken for browser use #6646

🏠 Internal

test(otlp-transformer): add metrics transform benchmark #6628 @pichlermarc

refactor(opentelemetry-exporter-prometheus): do not call enforcePrometheusNamingConvention() multiple times per metric #6636 @cjihrig

experimental/v0.215.0

0.215.0

💥 Breaking Changes

... (truncated)

Commits

74cde1b chore: prepare next release (#6675)
e8f439a fix: handle malformed URLs in Prometheus exporter request handler (#6674)
ab3a2e2 feat(sdk-node, configuration): diag log handling updates for startNodeSDK(), ...
d5b7d1e fix(deps): update dependency axios to v1.15.2 [security] (#6670)
c163618 chore(deps): update github/codeql-action digest to e46ed2c (#6661)
ec2bfbe chore(configuration): move config generation scripts into the configuration p...
acc9ecd chore(configuration): cosmetic changes to generated types.ts (#6663)
8f008ec chore: Move inactive members to emeritus (#6649)
435431e fix(configuration): improve the technique for removing '| null' on types due ...
4222024 fix(configuration): improve handling of enums in generated types (#6659)
Additional commits viewable in compare view

Updates rollup from 4.57.1 to 4.60.3

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

#6327: docs: fix various typos in source and documentation (@Abhi3975, @lukastaegert)

#6331: fix(deps): update minor/patch updates (@renovate[bot])

#6332: chore(deps): update codecov/codecov-action action to v6 (@renovate[bot])

#6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@renovate[bot])

#6334: fix(deps): update rust crate swc_compiler_base to v51 (@renovate[bot])

#6335: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6346: fix(deps): update minor/patch updates (@renovate[bot])

#6347: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6348: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6349: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6350: fix: reset variable render names between outputs in the same generate (@barry3406, @lukastaegert)

#6351: chore(deps): update minor/patch updates (@renovate[bot])

#6352: chore(deps): update cross-platform-actions/action action to v1 (@renovate[bot])

#6353: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6354: chore(deps): lock file maintenance (@renovate[bot])

#6355: chore(deps): lock file maintenance (@renovate[bot])

#6356: chore(deps): lock file maintenance (@renovate[bot])

#6358: chore: remove cross-env from devDeps (@K-tecchan)

v4.60.1

4.60.1

2026-03-30

Bug Fixes

Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

#6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@littlegrayss, @TrickyPi)

#6317: chore(deps): pin dependencies (@renovate[bot], @lukastaegert)

#6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@renovate[bot], @lukastaegert)

#6319: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6320: chore(deps): pin dependency typescript to v5 (@renovate[bot], @lukastaegert)

#6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (@renovate[bot], @lukastaegert)

#6322: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6323: chore(deps): lock file maintenance (@renovate[bot])

#6324: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.3

2026-05-04

Bug Fixes

Ensure nested "exports" variables are not renamed (#6360)

Pull Requests

#6360: fix: do not rename nested "exports" bindings that do not conflict (@tariqrafique, @lukastaegert)

#6364: chore(deps): update msys2/setup-msys2 digest to e989830 (@renovate[bot])

#6365: fix(deps): update minor/patch updates (@renovate[bot])

#6366: fix(deps): update swc monorepo (major) (@renovate[bot])

#6367: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6368: docs: add missing backticks in plugin-development (@lumirlumir, @lukastaegert)

4.60.2

2026-04-18

Bug Fixes

Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

#6327: docs: fix various typos in source and documentation (@Abhi3975, @lukastaegert)

#6331: fix(deps): update minor/patch updates (@renovate[bot])

#6332: chore(deps): update codecov/codecov-action action to v6 (@renovate[bot])

#6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@renovate[bot])

#6334: fix(deps): update rust crate swc_compiler_base to v51 (@renovate[bot])

#6335: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6346: fix(deps): update minor/patch updates (@renovate[bot])

#6347: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6348: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6349: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6350: fix: reset variable render names between outputs in the same generate (@barry3406, @lukastaegert)

#6351: chore(deps): update minor/patch updates (@renovate[bot])

#6352: chore(deps): update cross-platform-actions/action action to v1 (@renovate[bot])

#6353: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6354: chore(deps): lock file maintenance (@renovate[bot])

#6355: chore(deps): lock file maintenance (@renovate[bot])

#6356: chore(deps): lock file maintenance (@renovate[bot])

#6358: chore: remove cross-env from devDeps (@K-tecchan)

4.60.1

2026-03-30

... (truncated)

Commits

b47bdab 4.60.3
15c5f33 Add again some unneeded dev dependencies, to make some builds succeed
12195dc fix: do not rename nested "exports" bindings that do not conflict (#6360)
b74aa39 Migrate instructions to AGENTS.md
aa5a377 fix(deps): update minor/patch updates (#6365)
197e68b chore(deps): update msys2/setup-msys2 digest to e989830 (#6364)
cded70a fix(deps): update swc monorepo (major) (#6366)
bb2b8a5 docs: add missing backticks in plugin-development (#6368)
20af1c4 chore(deps): lock file maintenance (#6367)
a6be82b 4.60.2
Additional commits viewable in compare view

Updates undici from 7.22.0 to 7.24.0

Release notes

Sourced from undici's releases.

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.

GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the upgrade option.

GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.

Affected and patched ranges

CVE-2026-1525: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1528: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2581: affected >= 7.17.0 < 7.24.0, patched 7.24.0

CVE-2026-1527: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2229: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1526: affected 7.0.0 < 7.24.0, patched 7.24.0

References

GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525

NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528

NVD CVE-2026-2581: https://nvd.nist.gov/vuln/detail/CVE-2026-2581

NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527

NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229

NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

v7.23.0

What's Changed

... (truncated)

Commits

07a3906 Bumped v7.24.0 (#4887)
74495c6 fix: reject duplicate content-length and host headers
84235c6 Fix websocket 64-bit length overflow
77594f9 fix: validate upgrade header to prevent CRLF injection
cb79c57 fix: validate server_max_window_bits range in permessage-deflate
4147ce2 Merge commit '2ee00cb3'
2ee00cb fix(websocket): add maxDecompressedMessageSize limit for permessage-deflate
5890c7b fix(deduplicate): stream response chunks to waiting handlers
fbda3c1 Bumped v7.23.0 (#4884)
07276c9 fix: remove unused kSocketPath symbol
Additional commits viewable in compare view

Updates dompurify from 3.3.1 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @kodareef5

Fixed several minor problems and typos regarding MathML attributes, thanks @DavidOliver

Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @1Jesper1

Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @bencalif

Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @trace37labs

Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @eddieran

Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @christos-eth

Fixed an issue with USE_PROFILES prototype pollution, thanks @christos-eth

Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @researchatfluidattacks and others

Fixed an issue with closing tags leading to possible mXSS, thanks @frevadiscor

Fixed a problem with the type dentition patcher after Node version bump

Fixed freezing BS runs by reducing the tested browsers array

Bumped several dependencies where possible

Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

DOMPurify 3.3.3

Fixed an engine requirement for Node 20 which caused hiccups, thanks @Rotzbua

DOMPurify 3.3.2

Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters

Fixed a prototype pollution issue when working with custom elements, thanks @christos-eth

Fixed a lenient config parsing in _isValidAttribute, thanks @christos-eth

Bumped and removed several dependencies, thanks @Rotzbua

Fixed the test suite after bumping dependencies, thanks @Rotzbua

Commits

5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
8bcbf73 chore: Preparing 3.3.3 release
5faddd6 fix: engine requirement (#1210)
0f91e3a Update README.md
d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
c3efd48 fix: moved back from jsdom 28 to jsdom 20
988b888 fix: moved back from jsdom 28 to jsdom 20
2726c74 chore: Preparing 3.3.2 release
6202c7e build(deps): bump @tootallnate/once and jsdom (#1204)
302b51d fix: Expanded the regex ever so slightly to also cover script
Additional commits viewable in compare view

Updates vite from 7.3.1 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

Commits

cc383e0 release: v7.3.2
09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
f8103cc fix: check server.fs after stripping query as well (#22160)
19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…updates Bumps the npm_and_yarn group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [file-type](https://github.com/sindresorhus/file-type) | `21.3.0` | `21.3.2` | | [tar](https://github.com/isaacs/node-tar) | `7.5.9` | `7.5.11` | | [undici](https://github.com/nodejs/undici) | `7.22.0` | `7.24.0` | | [yaml](https://github.com/eemeli/yaml) | `2.8.2` | `2.8.3` | | [dompurify](https://github.com/cure53/DOMPurify) | `3.3.1` | `3.4.0` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.1` | `7.3.2` | | [music-metadata](https://github.com/Borewit/music-metadata) | `11.12.1` | `11.12.3` | Bumps the npm_and_yarn group with 1 update in the /extensions/zalo directory: [undici](https://github.com/nodejs/undici). Bumps the npm_and_yarn group with 2 updates in the /ui directory: [dompurify](https://github.com/cure53/DOMPurify) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `file-type` from 21.3.0 to 21.3.2 - [Release notes](https://github.com/sindresorhus/file-type/releases) - [Commits](sindresorhus/file-type@v21.3.0...v21.3.2) Updates `tar` from 7.5.9 to 7.5.11 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.9...v7.5.11) Updates `undici` from 7.22.0 to 7.24.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.22.0...v7.24.0) Updates `yaml` from 2.8.2 to 2.8.3 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](eemeli/yaml@v2.8.2...v2.8.3) Updates `dompurify` from 3.3.1 to 3.4.0 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.1...3.4.0) Updates `vite` from 7.3.1 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) Updates `music-metadata` from 11.12.1 to 11.12.3 - [Release notes](https://github.com/Borewit/music-metadata/releases) - [Commits](Borewit/music-metadata@v11.12.1...v11.12.3) Updates `@opentelemetry/exporter-prometheus` from 0.212.0 to 0.217.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-js@experimental/v0.212.0...experimental/v0.217.0) Updates `rollup` from 4.57.1 to 4.60.3 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.57.1...v4.60.3) Updates `undici` from 7.22.0 to 7.24.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.22.0...v7.24.0) Updates `dompurify` from 3.3.1 to 3.4.0 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.1...3.4.0) Updates `vite` from 7.3.1 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) --- updated-dependencies: - dependency-name: file-type dependency-version: 21.3.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.11 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.24.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: yaml dependency-version: 2.8.3 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: music-metadata dependency-version: 11.12.3 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@opentelemetry/exporter-prometheus" dependency-version: 0.217.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.24.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-05-11T15:42:23Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openclaw-ui	Error		May 11, 2026 3:42pm

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 11, 2026

vercel Bot had a problem deploying to Preview May 11, 2026 15:42 Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 3 directories with 9 updates#5

chore(deps): bump the npm_and_yarn group across 3 directories with 9 updates#5
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-6767971243

dependabot Bot commented on behalf of github May 11, 2026

Uh oh!

vercel Bot commented May 11, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 11, 2026

v21.3.2

v21.3.1

v7.24.0

Undici v7.24.0 Security Release Notes

Upgrade guidance

Fixed advisories

Affected and patched ranges

References

v7.23.0

What's Changed

v2.8.3

DOMPurify 3.4.0

DOMPurify 3.3.3

DOMPurify 3.3.2

v7.3.2

7.3.2 (2026-04-06)

Bug Fixes

v11.12.3

Changes

🐛 Bug Fixes

📦 NPM release

v11.12.2

Changes

🐛 Bug Fixes

⬆️ Dependencies

📦 NPM release

experimental/v0.217.0

0.217.0

🚀 Features

🐛 Bug Fixes

experimental/v0.216.0

0.216.0

🚀 Features

🐛 Bug Fixes

🏠 Internal

experimental/v0.215.0

0.215.0

💥 Breaking Changes

v4.60.2

4.60.2

Bug Fixes

Pull Requests

v4.60.1

4.60.1

Bug Fixes

Pull Requests

4.60.3

Bug Fixes

Pull Requests

4.60.2

Bug Fixes

Pull Requests

4.60.1

v7.24.0

Undici v7.24.0 Security Release Notes

Upgrade guidance

Fixed advisories

Affected and patched ranges

References

v7.23.0

What's Changed

DOMPurify 3.4.0

DOMPurify 3.3.3

DOMPurify 3.3.2

v7.3.2

7.3.2 (2026-04-06)

Bug Fixes

Uh oh!

vercel Bot commented May 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

vercel Bot commented May 11, 2026 •

edited

Loading