Bump the frontends-prod group across 1 directory with 6 updates by dependabot[bot] · Pull Request #631 · OpenConext/OpenConext-access

dependabot · 2026-04-14T11:26:12Z

Bumps the frontends-prod group with 6 updates in the /client directory:

Package	From	To
dompurify	`3.3.3`	`3.4.0`
isomorphic-dompurify	`3.7.1`	`3.8.0`
react	`19.2.4`	`19.2.5`
react-dom	`19.2.4`	`19.2.5`
react-router-dom	`7.14.0`	`7.14.1`
react-tooltip	`5.30.0`	`5.30.1`

Updates dompurify from 3.3.3 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @kodareef5

Fixed several minor problems and typos regarding MathML attributes, thanks @DavidOliver

Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @1Jesper1

Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @bencalif

Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @trace37labs

Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @eddieran

Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @christos-eth

Fixed an issue with USE_PROFILES prototype pollution, thanks @christos-eth

Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @researchatfluidattacks and others

Fixed an issue with closing tags leading to possible mXSS, thanks @frevadiscor

Fixed a problem with the type dentition patcher after Node version bump

Fixed freezing BS runs by reducing the tested browsers array

Bumped several dependencies where possible

Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

Commits

5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
See full diff in compare view

Updates isomorphic-dompurify from 3.7.1 to 3.8.0

Release notes

Sourced from isomorphic-dompurify's releases.

3.8.0: Updated dependencies

Dependency updates:

bump jsdom from 29.0.1 to 29.0.2

bump @biomejs/biome from 2.4.8 to 2.4.10

bump vitest from 4.1.1 to 4.1.3

bump lefthook from 2.1.4 to 2.1.5

Commits

40c0ced chore(release): bump version to 3.8.0 and update dep ranges
1493745 chore(deps): bump jsdom from 29.0.1 to 29.0.2
772dbc8 chore(deps-dev): bump vitest from 4.1.2 to 4.1.3
5c426c9 chore(deps-dev): bump lefthook from 2.1.4 to 2.1.5
9532ef7 chore(deps-dev): bump @biomejs/biome from 2.4.9 to 2.4.10
eff4ba9 chore(deps-dev): bump vitest from 4.1.1 to 4.1.2
62e619d chore(deps-dev): bump @biomejs/biome from 2.4.8 to 2.4.9
See full diff in compare view

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

Add more cycle protections (#36236 by @eps1lon and @unstubbable)

Commits

23f4f9f 19.2.5
See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

Add more cycle protections (#36236 by @eps1lon and @unstubbable)

Commits

23f4f9f 19.2.5
See full diff in compare view

Updates react-router-dom from 7.14.0 to 7.14.1

Changelog

Sourced from react-router-dom's changelog.

v7.14.1

Patch Changes

Updated dependencies:

react-router@7.14.1

Commits

197674b Release 7.14.1 (#14973)
a87774f Add new release process (#14916)
See full diff in compare view

Updates react-tooltip from 5.30.0 to 5.30.1

Release notes

Sourced from react-tooltip's releases.

v5.30.1

If you like ReactTooltip, please give the project a star on GitHub 🌟

What's Changed

fix: npm publish worklow updated to use id-token instead of npm token by @danielbarion in ReactTooltip/react-tooltip#1264

fix: arrow shoulder corners bleeding outside tooltip border by @danielbarion in ReactTooltip/react-tooltip#1263

fix: update tooltip types to allow click events properly by @danielbarion in ReactTooltip/react-tooltip#1266

docs: enhance 'Clickable tooltip' section with accessibility info by @moloko in ReactTooltip/react-tooltip#1267

New Contributors

@Copilot made their first contribution in ReactTooltip/react-tooltip#1263

@moloko made their first contribution in ReactTooltip/react-tooltip#1267

Full Changelog: ReactTooltip/react-tooltip@v5.30.0...v5.30.1

Commits

f7539f7 chore(version): v5.30.1
a1cd387 Merge pull request #1266 from ReactTooltip/fix/Issue-1223-events
6057d8c Merge pull request #1267 from moloko/patch-1
e6e515f Enhance 'Clickable tooltip' section with accessibility info
1a04317 fix: update tooltip types to allow click events properly
3346e9f Merge pull request #1263 from ReactTooltip/copilot/fix-border-overlap-issue
91f3967 fix: arrow border behavior and backface
296223f fix: arrow styles when bigger border and bigger size
015b900 chore: remove debug log from beta release workflow
d6e5de7 fix: add more permissions to the comment script
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the frontends-prod group with 6 updates in the /client directory: | Package | From | To | | --- | --- | --- | | [dompurify](https://github.com/cure53/DOMPurify) | `3.3.3` | `3.4.0` | | [isomorphic-dompurify](https://github.com/kkomelin/isomorphic-dompurify) | `3.7.1` | `3.8.0` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.4` | `19.2.5` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.4` | `19.2.5` | | [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) | `7.14.0` | `7.14.1` | | [react-tooltip](https://github.com/ReactTooltip/react-tooltip) | `5.30.0` | `5.30.1` | Updates `dompurify` from 3.3.3 to 3.4.0 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.3...3.4.0) Updates `isomorphic-dompurify` from 3.7.1 to 3.8.0 - [Release notes](https://github.com/kkomelin/isomorphic-dompurify/releases) - [Commits](kkomelin/isomorphic-dompurify@3.7.1...3.8.0) Updates `react` from 19.2.4 to 19.2.5 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.5/packages/react) Updates `react-dom` from 19.2.4 to 19.2.5 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.5/packages/react-dom) Updates `react-router-dom` from 7.14.0 to 7.14.1 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router-dom/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.14.1/packages/react-router-dom) Updates `react-tooltip` from 5.30.0 to 5.30.1 - [Release notes](https://github.com/ReactTooltip/react-tooltip/releases) - [Changelog](https://github.com/ReactTooltip/react-tooltip/blob/master/CHANGELOG.md) - [Commits](ReactTooltip/react-tooltip@v5.30.0...v5.30.1) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontends-prod - dependency-name: isomorphic-dompurify dependency-version: 3.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontends-prod - dependency-name: react dependency-version: 19.2.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: frontends-prod - dependency-name: react-dom dependency-version: 19.2.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: frontends-prod - dependency-name: react-router-dom dependency-version: 7.14.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: frontends-prod - dependency-name: react-tooltip dependency-version: 5.30.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: frontends-prod ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-04-16T07:08:13Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 14, 2026

dependabot bot force-pushed the dependabot/npm_and_yarn/client/frontends-prod-23c2c93e5f branch from 7b7d00a to 74158e2 Compare April 15, 2026 11:26

dependabot bot closed this Apr 16, 2026

dependabot bot deleted the dependabot/npm_and_yarn/client/frontends-prod-23c2c93e5f branch April 16, 2026 07:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the frontends-prod group across 1 directory with 6 updates#631

Bump the frontends-prod group across 1 directory with 6 updates#631
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/client/frontends-prod-23c2c93e5f

dependabot bot commented on behalf of github Apr 14, 2026 •

edited

Loading

Uh oh!

dependabot bot commented on behalf of github Apr 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

DOMPurify 3.4.0

3.8.0: Updated dependencies

19.2.5 (April 8th, 2026)

React Server Components

19.2.5 (April 8th, 2026)

React Server Components

v7.14.1

Patch Changes

v5.30.1

What's Changed

New Contributors

Uh oh!

dependabot bot commented on behalf of github Apr 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github Apr 14, 2026 •

edited

Loading