🚨 [security] Update sanitize-html 2.11.0 → 2.13.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ sanitize-html (2.11.0 → 2.13.1) · Repo · Changelog

Security Advisories 🚨

🚨 sanitize-html Information Exposure vulnerability

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

Release Notes

2.13.1 (from changelog)

• Fix to allow regex in allowedClasses wildcard whitelist. Thanks to anak-dev.

2.13.0 (from changelog)

• Documentation update regarding minimum supported TypeScript version.

• Added disallowedTagsMode: completelyDiscard option to remove the content also in HTML. Thanks to Gauav Kumar for this addition.

2.12.1 (from changelog)

• Do not parse sourcemaps in post-css. This fixes a vulnerability in which information about the existence or non-existence of files on a server could be disclosed via properly crafted HTML input when the style attribute is allowed by the configuration. Thanks to the Snyk Security team for the disclosure and to Dylan Armstrong for the fix.

2.12.0 (from changelog)

• Introduced the allowedEmptyAttributes option, enabling explicit specification of empty string values for select attributes, with the default attribute set to alt. Thanks to Na for the contribution.

• Clarified the use of SVGs with a new test and changes to documentation. Thanks to Gauav Kumar for the contribution.

• Do not process source maps when processing style tags with PostCSS.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 43 commits:

• Merge pull request #678 from apostrophecms/release-2.13.1
• release 2.13.1
• Merge pull request #676 from apostrophecms/thanks-anak-dev
• thanks
• Merge pull request #675 from anak-dev/anak-dev-main
• docs: update changelog
• fix: allow classes that match `allowedClasses` regex for all tags
• Merge pull request #661 from apostrophecms/release-2.13.0
• release 2.13.0
• Merge pull request #658 from apostrophecms/thanks-and-fixes
• Fixes readme and adds thanks
• Merge pull request #656 from gkumar9891/allow-tagged-html
• README changes
• README changes
• README changes
• changed README
• added test case and changed README file
• changed CHANGELOG
• added option disallowedTagsMode: 'completelyDiscard'
• Merge pull request #655 from dylanarmstrong/doc/readme-typescript-version
• doc: update changelog
• doc: add supported version for typescript
• Merge pull request #654 from apostrophecms/release-2.12.1
• release 2.12.1
• Merge pull request #650 from dylanarmstrong/fix/ignore-source-maps
• Merge pull request #652 from apostrophecms/add-thanks-to-changelog
• Add community contribution thanks you
• Merge pull request #651 from apostrophecms/release-2.12.0
• release 2.12.0
• test: added test for postcss map
• doc: update changelog
• fix: ignore source maps when processing with postcss
• Merge pull request #646 from gkumar9891/allow-svg-element
• changes to documentation
• changes in documentation
• allow svg element
• Merge pull request #634 from zhna123/empty-alt
• Added more tests and modified CHANGELOG
• Added 'allowedEmptyAttributes' option and kept empty 'alt' value by default.
• Merge pull request #628 from alfreema/patch-1
• Delete .circleci directory
• Update README.md - Remove circleci reference
• Update README.md

✳️ @​babel/plugin-transform-modules-commonjs (7.18.6 → 7.25.9) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 14 commits:

• v7.25.9
• remove test options flaky (#16914)
• fix: Accidentally publishing useless files (#16917)
• chore: Improve logic regarding fast objects (#16919)
• test(numeric-separator): fix invalid test layout (#16920)
• perf: Make `VISITOR_KEYS` etc. faster to access (#16918)
• fix: Keep type annotations in `syntacticPlaceholders` mode (#16905)
• Update test262 (#16910)
• Update compat data (#16909)
• ci: pin latest node to 22 (#16913)
• fix: support BROWSERSLIST{,_CONFIG} env (#16907)
• Analyze `ClassAccessorProperty` to prevent the `no-undef` rule (#16884)
• Update test262 (#16900)
• Add v7.25.8 to CHANGELOG.md [skip ci]

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)