fix(server): bump dompurify to 3.4.11 (GHSA-cmwh-pvxp-8882)

Metadata

Source

tuist/tuist #11374

Updated

Jun 24, 2026

Details

What & why

The Server → Security (Trivy) check is failing on main and every open PR. Trivy flags dompurify@3.4.10 in server/pnpm-lock.yaml:

Library	Advisory	Severity	Installed	Fixed in
`dompurify`	GHSA-cmwh-pvxp-8882	MEDIUM	3.4.10	3.4.11

(Permanent ALLOWED_ATTR pollution via setConfig() bypassing the hook clone-guard.)

Trivy re-downloads its vulnerability DB on every run, so this started failing as soon as the advisory was published — it’s not tied to any code change; it affects main and all in-flight branches.

The fix

dompurify is a transitive dependency (via monaco-editor and posthog-js) that we pin through the overrides block in server/package.json. Bumping that single pin 3.4.10 → 3.4.11 collapses every copy in the tree to the fixed version. aube install relocked server/pnpm-lock.yaml accordingly.

Validation

0 remaining dompurify@3.4.10 in the lockfile (all 3.4.11).

Ran the CI-equivalent scan locally:

trivy fs --scanners vuln --severity MEDIUM,HIGH,CRITICAL --exit-code 1 server/pnpm-lock.yaml
→ pnpm-lock.yaml: 0 vulnerabilities (exit 0)

Diff is limited to server/package.json (1 line) + server/pnpm-lock.yaml.

🤖 Generated with Claude Code

https://claude.ai/code/session_01PswmxicCvgaimutLG1zJai

Comments

No GitHub comments yet.