Bump the production-dependencies group across 1 directory with 23 updates

[dependabot]

Bumps the production-dependencies group with 23 updates in the / directory:

Package	From	To
@auth/prisma-adapter	2.11.1	2.11.2
@aws-sdk/client-s3	3.1043.0	3.1057.0
@hocuspocus/provider	4.0.0	4.1.0
@hocuspocus/server	4.0.0	4.1.0
@hookform/resolvers	5.2.2	5.4.0
@prisma/client	6.19.2	7.8.0
@tanstack/react-query	5.90.21	5.100.14
concurrently	9.2.1	10.0.0
date-fns	4.1.0	4.4.0
dompurify	3.3.2	3.4.7
@types/dompurify	3.0.5	3.2.0
lucide-react	0.574.0	1.17.0
marked	17.0.4	18.0.4
next	16.1.6	16.2.6
next-auth	5.0.0-beta.30	5.0.0-beta.31
nodemailer	7.0.13	8.0.10
react	19.2.4	19.2.6
react-dom	19.2.4	19.2.6
react-hook-form	7.71.2	7.77.0
stripe	20.4.1	22.2.0
tailwind-merge	3.5.0	3.6.0
yjs	13.6.30	13.6.31
zod	4.3.6	4.4.3

Updates @auth/prisma-adapter from 2.11.1 to 2.11.2

Release notes

Sourced from @​auth/prisma-adapter's releases.

@​auth/prisma-adapter@​2.11.2

Other

• @​auth/core: dependency update (67f2b168)

Commits

• af9daa8 chore(release): bump package version(s) [skip ci]
• d4dab3d chore: sync package versions with npm registry (#13414)
• 8a23c5b chore: fix lockfile (#13411)
• 2018202 docs: fix TypeScript type mismatch in refresh token rotation example (#13396)
• 0eba7e4 adapter-kysely: Update kysely for CVE-2026-33468 (#13407)
• 67f2b16 fix(providers): add issuer to GitHub provider for RFC 9207 compliance (#13410)
• f457068 docs: update middleware.ts references to proxy.ts for Next.js 16 (#13373)
• c7c2cfa docs: update Better Auth migration guide (#13334)
• b4ef14a chore(release): bump version [skip ci]
• See full diff in compare view

Maintainer changes

This version was pushed to npm by better-gustavo, a new releaser for @​auth/prisma-adapter since your current version.

Updates @aws-sdk/client-s3 from 3.1043.0 to 3.1057.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1057.0

3.1057.0(2026-05-29)

Bug Fixes

• client-rds-data:
  • ArrayValue member element types are now nullable: booleanValues is (boolean | null)[], longValues and doubleValues are (number | null)[], stringValues is (string | null)[], and arrayValues is (ArrayValue | null)[]. This reflects that SQL array responses can contain NULL elements. Existing TypeScript code that reads elements as non-nullable values won't compile; migrate by changing the target type to nullable, using the nullish coalescing operator ?? to supply a default, or using .filter(v => v !== null). (43e8abc9)

Chores

• codegen:
  • smithy-aws-typescript-codegen 0.50.0 (#8056) (050bee10)
  • sync for smithy 1.71.0 and snapshot-testing fix (#8053) (e55a3879)

New Features

• clients: update client endpoints as of 2026-05-29 (100e59e3)
• client-codeguru-security: Adding new BDD representation of endpoint ruleset (b5e79600)
• client-auto-scaling-plans: Adding new BDD representation of endpoint ruleset (be4de620)
• client-connect-contact-lens: Adding new BDD representation of endpoint ruleset (5356eaf4)
• client-connectcampaignsv2: Adding new BDD representation of endpoint ruleset (610e00f6)
• client-cloudsearch: Adding new BDD representation of endpoint ruleset (954a5629)
• client-account: Adding new BDD representation of endpoint ruleset (043ec31b)
• client-directory-service-data: Adding new BDD representation of endpoint ruleset (a4c4696b)
• client-bedrock: Automated Reasoning checks - Added two build workflows for policies. Iterative Refine Policy uses AI to update policy definitions based on test results and feedback. Resolve Policy Ambiguities consolidates ambiguous variables in Automated Reasoning policies, a common source of ambiguous validation. (dc971ce1)
• client-lex-models-v2: Adding new BDD representation of endpoint ruleset (46879a2b)
• client-application-insights: Adding new BDD representation of endpoint ruleset (8188d14a)
• client-quicksight: Adds support for creating, updating, describing, listing, and deleting an OAuthClientApplication resource, a new quicksight resource that allows customers to store OAuth configurations to connect to their databases via 3 Legged OAuth. (62d39a81)
• client-bedrock-agentcore-control: Reference your own AWS Secrets Manager secrets when configuring credential providers, giving you control over encryption, rotation, and access policies instead of using service-managed secrets. (ac8eac96)
• client-codecatalyst: Adding new BDD representation of endpoint ruleset (5d0951a1)
• client-grafana: Adding new BDD representation of endpoint ruleset (a0c1dbf4)
• client-drs: Adding new BDD representation of endpoint ruleset (af7bbc33)
• client-cloudsearch-domain: Adding new BDD representation of endpoint ruleset (84e5f9f0)
• client-networkflowmonitor: Adding new BDD representation of endpoint ruleset (2571d33c)
• client-mailmanager: Adding new BDD representation of endpoint ruleset (89075b5d)
• client-route53resolver: Added BatchCreateFirewallRule, BatchUpdateFirewallRule, BatchDeleteFirewallRule, and ListFirewallRuleTypes APIs. Added FirewallRuleType support to Firewall Rule APIs. (a5c6d722)
• client-pcs: Adding new BDD representation of endpoint ruleset (eec245d2)
• client-inspector-scan: Adding new BDD representation of endpoint ruleset (f4eb5511)
• client-sesv2: This release introduces support for Tenant Suppression Lists (3de2020c)
• client-chime: Adding new BDD representation of endpoint ruleset (f8e2cde5)
• client-proton: Adding new BDD representation of endpoint ruleset (937b25e0)
• client-lex-runtime-v2: Adding new BDD representation of endpoint ruleset (2e4709c6)
• client-ssm-guiconnect: Adding new BDD representation of endpoint ruleset (e5c019d3)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1057.0 (2026-05-29)

Note: Version bump only for package @​aws-sdk/client-s3

3.1056.0 (2026-05-28)

Note: Version bump only for package @​aws-sdk/client-s3

3.1055.0 (2026-05-27)

Note: Version bump only for package @​aws-sdk/client-s3

3.1054.0 (2026-05-26)

Note: Version bump only for package @​aws-sdk/client-s3

3.1053.0 (2026-05-22)

Note: Version bump only for package @​aws-sdk/client-s3

3.1052.0 (2026-05-21)

Note: Version bump only for package @​aws-sdk/client-s3

3.1051.0 (2026-05-20)

... (truncated)

Commits

• e836d5c Publish v3.1057.0
• e55a387 chore(codegen): sync for smithy 1.71.0 and snapshot-testing fix (#8053)
• 4b03542 Publish v3.1056.0
• 7ae617c chore(codegen): sync for cyclic file dependency fixes (#8051)
• 2981565 Publish v3.1055.0
• d999d57 Publish v3.1054.0
• ef69ea6 Publish v3.1053.0
• 443d6be Publish v3.1052.0
• 0d6242d chore(codegen): update @​smithy dependencies (#8038)
• b825c13 Publish v3.1051.0
• Additional commits viewable in compare view

Updates @hocuspocus/provider from 4.0.0 to 4.1.0

Release notes

Sourced from @​hocuspocus/provider's releases.

v4.1.0

What's Changed

• feat(server): add beforeHandleAwareness hook by @​dschmidt in ueberdosis/hocuspocus#1096
• fix(server): wrap awareness origin as TransactionOrigin by @​dschmidt in ueberdosis/hocuspocus#1094

New Contributors

• @​dschmidt made their first contribution in ueberdosis/hocuspocus#1094

Full Changelog: ueberdosis/hocuspocus@v4.0.0...v4.1.0

Changelog

Sourced from @​hocuspocus/provider's changelog.

4.1.0 (2026-05-20)

Bug Fixes

• server: wrap awareness origin as TransactionOrigin (#1094) (bb24de0)

Features

• server: add beforeHandleAwareness hook (#1096) (1597da8)

Commits

• 702ec72 v4.1.0
• 86b9fe6 chore: remove ws package from provider (#1098)
• 1597da8 feat(server): add beforeHandleAwareness hook (#1096)
• bbabe6b build(deps): bump next from 16.2.3 to 16.2.6 (#1093)
• bb24de0 fix(server): wrap awareness origin as TransactionOrigin (#1094)
• 3fb1c63 build(deps): bump hono from 4.12.14 to 4.12.18 (#1092)
• c9cc578 chore: inline esm-only deps (crossws) so cjs-only module loaders work fine
• See full diff in compare view

Updates @hocuspocus/server from 4.0.0 to 4.1.0

Release notes

Sourced from @​hocuspocus/server's releases.

v4.1.0

What's Changed

• feat(server): add beforeHandleAwareness hook by @​dschmidt in ueberdosis/hocuspocus#1096
• fix(server): wrap awareness origin as TransactionOrigin by @​dschmidt in ueberdosis/hocuspocus#1094

New Contributors

• @​dschmidt made their first contribution in ueberdosis/hocuspocus#1094

Full Changelog: ueberdosis/hocuspocus@v4.0.0...v4.1.0

Changelog

Sourced from @​hocuspocus/server's changelog.

4.1.0 (2026-05-20)

Bug Fixes

• server: wrap awareness origin as TransactionOrigin (#1094) (bb24de0)

Features

• server: add beforeHandleAwareness hook (#1096) (1597da8)

Commits

• 702ec72 v4.1.0
• 86b9fe6 chore: remove ws package from provider (#1098)
• 1597da8 feat(server): add beforeHandleAwareness hook (#1096)
• bbabe6b build(deps): bump next from 16.2.3 to 16.2.6 (#1093)
• bb24de0 fix(server): wrap awareness origin as TransactionOrigin (#1094)
• 3fb1c63 build(deps): bump hono from 4.12.14 to 4.12.18 (#1092)
• c9cc578 chore: inline esm-only deps (crossws) so cjs-only module loaders work fine
• See full diff in compare view

Updates @hookform/resolvers from 5.2.2 to 5.4.0

Release notes

Sourced from @​hookform/resolvers's releases.

v5.4.0

5.4.0 (2026-05-21)

Features

• feat: add ata-validator resolver (#845)

Fixes

• fix issue with toNestErrors.ts (#848)

• add guidance on passing context to yupResolver (useForm context) (#835) (3d29924)

Commits

• 3d29924 feat: add guidance on passing context to yupResolver (useForm context) (#835)
• 56b68f3 feat: 5.3.0
• cf8562d update readme on ata-validator
• 5e5b610 fix issue with toNestErrors.ts (#848)
• 72aacf8 Revise supported versions in SECURITY.md
• ad89a20 feat: add ata-validator resolver (#845)
• 02286db ci: updated publish workflow to use node 24 (#838)
• 2e9bc7c Fix(zodResolver): error paths in complex unions #787 (#819)
• See full diff in compare view

Updates @prisma/client from 6.19.2 to 7.8.0

Release notes

Sourced from @​prisma/client's releases.

7.8.0

Today, we are excited to share the 7.8.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Highlights

ORM

Features

Prisma Client

• Added a queryPlanCacheMaxSize option to the PrismaClient constructor for fine-grained control over the query plan cache. Pass 0 to disable the cache entirely, or omit it to use the default cache size. A larger value can improve performance in applications that execute many unique queries, while a smaller one can reduce memory usage. (#29503)

Bug Fixes

Prisma Client

• Fixed an equality filter panic and incorrect ::jsonb cast when filtering on PostgreSQL JSON list columns. Queries using where: { jsonListField: { equals: [...] } }prisma/prisma-engines#5804
• Fixed case-insensitive JSON field filtering (mode: insensitive), allowing where: { jsonField: { equals: "...", mode: "insensitive" } }prisma/prisma-engines#5806
• Fixed incorrect parameterization of enum values that have a custom database name set via @map. (#29422)
• Fixed a database parameter limit check (P2029), which could incorrectly reject or miss over-limit queries. (#29422)
• Fixed a regression that caused missing SQL Server VARCHARprisma/prisma-engines#5801

Schema Engine

• Fixed a misleading error message in prisma migrate diff that referenced the --shadow-database-url CLI flag, which was removed in Prisma 7. (#29455)
• Fixed prisma migrate dev (and shadow database migration replay in general) failing with CREATE INDEX CONCURRENTLY cannot run inside a transaction blockprisma/prisma-engines#5799
• Fixed PostgreSQL introspection silently dropping sequence defaults when the database returns the schema-qualified form pg_catalog.nextval('sequence_name'::regclass) instead of the bare nextval(...). Columns backed by sequences now correctly appear as @default(autoincrement())prisma/prisma-engines#5802

Driver Adapters

• @​prisma/adapter-d1: Savepoint operations (createSavepoint, rollbackToSavepoint, releaseSavepoint) now silently no-op with debug logging instead of executing SQL statements, consistent with how the D1 adapter already treats top-level transactions. (#29499)

Open roles at Prisma

Interested in joining Prisma? We're growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that's right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

7.7.0

Today, we are excited to share the 7.7.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

... (truncated)

Commits

• 62b44ac chore(deps): update engines to 7.8.0-5.e96eae70cf4ade6a15d7e6064d5b0b4f7d835d...
• 4104864 feat: add a query plan cache size parameter (#29503)
• 723ba7b chore(deps): update engines to 7.8.0-4.8c287008617e9b12f313df99e2c821ae61ea9a...
• cadbafe chore(deps): update engines to 7.8.0-2.3187e3937290320ba3c7dbd5aa94af67942b44...
• f705533 chore(deps): update engines to 7.8.0-1.7b80cc56c645c6e03c7541474e6a7c8d91b70d...
• fbab4e8 Fix 29271 (#29303)
• 6a3c3cc chore: extract parameterization to client-engine-runtime (#29422)
• 5b420f8 fix(client): prevent caching of createMany queries to avoid cache bloat and p...
• 30f0af6 feat: dmmf streaming with an E2E test (#29377)
• 14c3c2e fix: pin E2E typescript to prevent 6 upgrade (#29383)
• Additional commits viewable in compare view

Updates @tanstack/react-query from 5.90.21 to 5.100.14

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-devtools@​5.100.14

@​tanstack/react-query-next-experimental@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14

@​tanstack/react-query-persist-client@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-persist-client-core@​5.100.14

@​tanstack/react-query@​5.100.14

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

@​tanstack/react-query-devtools@​5.100.13

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.13
  • @​tanstack/react-query@​5.100.13

@​tanstack/react-query-next-experimental@​5.100.13

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.13

@​tanstack/react-query-persist-client@​5.100.13

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.13
  • @​tanstack/react-query@​5.100.13

@​tanstack/react-query@​5.100.13

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.14

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

5.100.13

Patch Changes

• Updated dependencies [d423168]:
  • @​tanstack/query-core@​5.100.13

5.100.12

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.12

5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.8

... (truncated)

Commits

• ba6e7be ci: Version Packages (#10767)
• ed20b6d fix(react): do not go into optimistic fetching state when not subscribed (#10...
• 05cf2bc ci: Version Packages (#10758)
• d423168 fix(query-core): use built-in NoInfer for generic indexed-access types (#10593)
• 5ff4f69 ci: Version Packages (#10755)
• 3e85350 ci: Version Packages (#10706)
• 9d2692c ci: Version Packages (#10695)
• 74fa05e chore(tsconfig.json): narrow 'include' pattern to prevent TS6053 race conditi...
• 8c3d523 ci: Version Packages (#10630)
• 9800c8f ci: Version Packages (#10623)
• Additional commits viewable in compare view

Updates concurrently from 9.2.1 to 10.0.0

Release notes

Sourced from concurrently's releases.

v10.0.0

💥 Breaking Changes

• Dropped support for Node.js <22.0.0. Older Node.js version have reached end-of-life, and certain features require new-ish JS APIs.
• concurrently is now ESM-only. It's now possible to require(esm). See here for interoperability.
• Prefix colors now default to automatic - #581 The colors used to default to reset (which does nothing). Concurrently now automatically selects a color, out of the box. The list of colors used is not jarring nor carries semantic meaning, and reads well in both dark and light terminal backgrounds.
• Removed deprecated flags and options
  • CLI flag --name-separator: use commas instead.
  • API option killOthers: use killOthersOn instead.

✨ New Features

• Support applying modifiers to hex prefix colors (e.g. #ff0000.bold) - #450
• Support chalk's color functions in prefixes (e.g. rgb(), hex(), bgRgb(), etc) - #578
• Set prefix background color via bg#RRGGBB - #578
• Allow shell override via --shell CLI flag/shell API option - #288, #589, #556 concurrently distinguishes between cmd.exe, powershell, and POSIX-based shells.
• Manual prefix coloring in templates e.g. [{color}{name}{/color}] - #583, #587

🐛 Bug fixes

• Scope quote normalization to CLI input - #582, #585 It should now also be possible to run commands like "/some/command" foo bar"
• Don't throw when color doesn't exist - #580

🔐 Security

• Address vulnerability in shellquote - #591

Other changes

• Warn about running on Snap - #584

New Contributors

• @​philfreo made their first contribution in open-cli-tools/concurrently#566
• @​garretmh made their first contribution in open-cli-tools/concurrently#450
• @​CodeF53 made their first contribution in open-cli-tools/concurrently#574
• @​nkappler made their first contribution in open-cli-tools/concurrently#577
• @​stephanschubert made their first contribution in open-cli-tools/concurrently#578
• @​GermanJablo made their first contribution in open-cli-tools/concurrently#581
• @​y-nk made their first contribution in open-cli-tools/concurrently#587
• @​samchungy made their first contribution in open-cli-tools/concurrently#591
• @​saito-netartz made their first contribution in open-cli-tools/concurrently#590
• @​jeffrey-takuma made their first contribution in open-cli-tools/concurrently#585

Full Changelog: open-cli-tools/concurrently@v9.2.1...v10.0.0

Commits

• cf2eaa2 10.0.0
• 1b9bae4 deps: upgrade yargs to v18 (#593)
• b05ee75 Bump min Node.js version to v22
• ae60bc4 Scope quote normalization to CLI input (#585)
• 2822c28 docs: update outdated Node.js doc links and fix null code formatting (#590)
• 42f3829 deps: upgrade shell-quote to 1.8.4 (#591)
• cb04cbf Remove deprecated flags/options
• 0e50ac3 Partial prefix coloring (#587)
• efb3153 Fix test failures within VS Code
• b229c8c Allow shell overrides (#589)
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Attestation changes

This version has no provenance attestation, while the previous version (9.2.1) was attested. Review the package versions before updating.

Updates date-fns from 4.1.0 to 4.4.0

Release notes

Sourced from date-fns's releases.

v4.4.0

This release revisits the approach to CDN usage and introduces a new package, @date-fns/cdn and deprecates the date-fns CDN scripts. It allowed reducing the zipped package size from 5.83 MB down to 3.96 MB without introducing any breaking changes.

In v5.0.0-alpha.0 where CDN scripts are completely removed from date-fns the change is more significant and brings the zipped package size down to 2.89 MB.

It is just the first step in optimizing the package size. Expect further size reduction in the future v4 and v5 versions.

Changed

• DEPRECATED: The date-fns CDN scripts are now deprecated and will be removed in the next major release. Please switch to the new @date-fns/cdn package for CDN usage.

• Removed CDN source maps to reduce the package size. If you rely on them, please switch to the new @date-fns/cdn package that still includes them.

v4.3.0

Kudos to @​ImRodry and @​puneetdixit200 for their contributions.

Fixed

• Fixed missing modularized optimization fallback (for Next.js and others). See #4193.

• Fixed pt locale first day of week to be Sunday. See #4195 by @​ImRodry.

• Fixed zh-CN, zh-HK, and zh-TW locale month parsing for October, November, and December. See #4194 by @​puneetdixit200.

v4.2.1

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Commits

• cd53d25 Promote to v4.4.0
• d948ec1 Preserve but deprecate CDN versions for v4, set up v5 with polyfills
• ee65753 Add root mise :format task
• 9f5bdf5 Add positional argument to test/smoke.sh script
• 651ead6 Split CDN bundles into separate @​date-fns/cdn package
• 224c1a2 Deprecate type tests as attw hangs on date-fns package
• 7bb2842 Switch PACKAGE_OUTPUT_PATH to --dist flag in the package build script
• b6ad5ac Add flags to control package build script
• 424a783 Fix docs release after moving to monorepo setup
• f95bcf1 (docs): Add missing tsx dependency
• Additional commits viewable in compare view

Updates dompurify from 3.3.2 to 3.4.7

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.7

• Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
• Removed a problem leading to permanent hook pollution, thanks @​offset
• Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

• Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
• Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
• Added more test coverage for IN_PLACE and general DOM Clobbering attacks
• Bumped several dependencies where possible

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @​lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
• Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.2

• Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
• Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

... (truncated)

Commits

• ca30f07 release: 3.4.7 (#1414)
• bb7739e release: 3.4.6 (#1394)
• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• 6f67fd3 Sync/3.4.2 (#1322)
• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• 09f5911 test: added three more browsers to test setup (OSX, mobile)
• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• 8bcbf73 chore: Preparing 3.3.3 release
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.