chore(deps): update dependency dompurify to v3.4.3

[thomhurst]

This PR contains the following updates:

Package	Type	Update	Change
dompurify	resolutions	patch	3.4.2 → 3.4.3

---

Release Notes

cure53/DOMPurify (dompurify)

v3.4.3: DOMPurify 3.4.3

Compare Source

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[claude]

Code Review: dompurify 3.4.2 → 3.4.3

This is a Renovate-generated patch bump for DOMPurify, a security-sensitive XSS sanitization library used in the docs site.

What changed

• docs/package.json — version pin updated
• docs/yarn.lock — integrity hash updated to match the new release

Both changes are consistent and correct; the lock file hash matches the published npm artifact.

Why this matters

This is not a cosmetic bump. The 3.4.3 release includes two security-relevant fixes:

1. ReDoS hardening — template regexes were made more robust against Regular Expression Denial of Service attacks.
2. Shadow DOM fixes — nested Shadow DOM tree handling was corrected, preventing potential sanitization bypasses in environments that use Shadow DOM.

Approving patch updates to a sanitization library promptly is the right call — the risk of not updating outweighs any regression risk from a patch version.

Assessment

No concerns. The diff is minimal, mechanically correct, and the underlying library changes are purely defensive security improvements. Auto-merge is appropriate here.

[claude]

Code Review Follow-up

No changes since the previous review — still on commit 65246b0. The prior approval stands.

Summary: This is a clean, minimal patch bump of DOMPurify (3.4.2 → 3.4.3) with two security-relevant fixes (ReDoS hardening + Shadow DOM sanitization). The package.json version pin and yarn.lock integrity hash are consistent with the published npm artifact. No concerns; auto-merge is appropriate.

[claude]

Re-review: dompurify 3.4.2 → 3.4.3

Re-checked against the prior approval — no changes to this PR since the previous review.

The diff remains a minimal, correct patch bump:

• docs/package.json: version pin updated from 3.4.2 → 3.4.3
• docs/yarn.lock: resolved URL and integrity hash both updated consistently

Previous assessment stands: This is a security-positive update (ReDoS hardening + Shadow DOM sanitization fixes in DOMPurify). Auto-merge is appropriate.

[claude]

Re-review: dompurify 3.4.2 → 3.4.3

No changes since the previous review (2026-05-13). Assessment stands:

• Both and are consistent with each other
• The 3.4.3 release contains security-relevant fixes (ReDoS hardening, Shadow DOM sanitization bypasses) — prompt uptake is correct
• Diff is minimal and mechanically correct

No issues found. Auto-merge remains appropriate.

[claude]

Re-review: dompurify 3.4.2 to 3.4.3. No changes since the previous review on 2026-05-13. Assessment stands: both package.json and yarn.lock are consistent, and the 3.4.3 release contains security-relevant fixes (ReDoS hardening, Shadow DOM sanitization bypasses). No issues found. Auto-merge remains appropriate.