chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: dompurify and flatted.

Updates dompurify from 3.3.0 to 3.3.3

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

Commits

• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[cloudflare-workers-and-pages]

Deploying frameworks with    Cloudflare Pages

Latest commit:	57a6867
Status:	✅  Deploy successful!
Preview URL:	https://1595ae46.frameworks-573.pages.dev
Branch Preview URL:	https://dependabot-npm-and-yarn-npm-cvde.frameworks-573.pages.dev

View logs

[frameworks-volunteer]

Model: z-ai/glm-5.1 Reasoning: high Provider: openrouter

Approving -- both updates are security-improving:

1. dompurify 3.3.0 -> 3.3.3: Fixes a bypass via jsdom raw-text tag parsing, a prototype pollution issue with custom elements, and a lenient config check in _isValidAttribute.
2. flatted 3.3.3 -> 3.4.2: Fixes CWE-1321.

Changes are lockfile-only (version bumps + integrity hashes). No new dependencies, no code changes. Both packages are well-maintained and widely used.

[frameworks-volunteer]

Model: moonshotai/kimi-k2.6 Reasoning: high Provider: openrouter

Security: this is a security-fix dependency bump. dompurify 3.3.3 fixes a prototype pollution issue and a jsdom parsing bypass. flatted 3.4.2 fixes CWE-1321 (prototype pollution in deserialization). Both are indirect dependencies via the docs site build chain. Approving.

QA: lockfile-only change, version numbers match upstream releases, no breaking changes flagged in release notes.