[jira] [Commented] (ATLAS-5278) Atlas UI: Upgrade dompurify to 3.4.0

Wed, 29 Apr 2026 08:19:07 -0700 


    [ 
https://issues.apache.org/jira/browse/ATLAS-5278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18077098#comment-18077098
 ] 

ASF subversion and git services commented on ATLAS-5278:
--------------------------------------------------------

Commit 29cab840fb6c5c895a31a5659ec4249006c80e29 in atlas's branch 
refs/heads/master from Prasad Pawar
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=29cab840f ]

ATLAS-5278: Atlas UI: Upgrade dompurify to 3.4.0 (#608)

> Atlas UI: Upgrade dompurify to 3.4.0
> ------------------------------------
>
>                 Key: ATLAS-5278
>                 URL: https://issues.apache.org/jira/browse/ATLAS-5278
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-webui
>    Affects Versions: 3.0.0
>            Reporter: Prasad P. Pawar
>            Assignee: Prasad P. Pawar
>            Priority: Major
>              Labels: Atlas-UI
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> h2. Files to touch for the fix (DOMPurify 3.4.0)
> ||Area||Action||
> |{{dashboardv2/public/js/external_lib/dompurify/purify.min.js}}|Replace with 
> the 3.4.0 build (same filename/path so RequireJS in {{main.js}} / 
> {{migration.js}} usually stays the same).|
> |{{dashboardv2/public/js/main.js}}|Only if you change path/filename (normally 
> no change).|
> |{{dashboardv2/public/js/migration.js}}|Same as {{{}main.js{}}}.|
> |{{dashboardv2/public/js/utils/Utils.js}}|Review only — already calls 
> {{DOMPurify.sanitize(editorContent, config)}} with {{FORBID_TAGS}} / 
> {{FORBID_ATTR}} (relevant to CVE-2026-41240 class of issues before 3.4.0). 
> Unlikely to need API changes if you keep the same config shape.|
> |License / notices|If the project documents bundled versions (e.g. 
> {{{}LICENSE{}}}, {{{}docs/.../ProjectLicense.md{}}}, 
> {{{}3party-licenses/{}}}), bump the stated DOMPurify version to 3.4.0 if 
> those files mention it (current grep did not find DOMPurify in 
> {{{}LICENSE{}}}; still worth a manual read).|
> No {{package.json}} bump in {{dashboardv2}} for DOMPurify today because it is 
> not an npm dependency there—only the vendored file.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to