build(deps): bump the npm-deps group with 5 updates

[dependabot]

Bumps the npm-deps group with 5 updates:

Package	From	To
dompurify	3.4.0	3.4.1
@openpgp/web-stream-tools	0.3.0	0.3.1
@tony.ganchev/eslint-plugin-header	3.4.3	3.4.4
stylelint	17.8.0	17.9.0
typescript-eslint	8.58.2	8.59.0

Updates dompurify from 3.4.0 to 3.4.1

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

Commits

• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• 09f5911 test: added three more browsers to test setup (OSX, mobile)
• See full diff in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates @openpgp/web-stream-tools from 0.3.0 to 0.3.1

Commits

• See full diff in compare view

Updates @tony.ganchev/eslint-plugin-header from 3.4.3 to 3.4.4

Release notes

Sourced from @​tony.ganchev/eslint-plugin-header's releases.

v3.4.4

What's Changed

• fix: unhook from @​eslint/core in JSDoc by @​tonyganchev in tonyganchev/eslint-plugin-header#191

Full Changelog: tonyganchev/eslint-plugin-header@v3.4.3...v3.4.4

Changelog

Sourced from @​tony.ganchev/eslint-plugin-header's changelog.

3.4.4

• Fix: removed implicit dependency on @​eslint/core through JSDoc.

Commits

• ca8a6b7 fix: unhook from @​eslint/core in JSDoc (#191)
• 20c8d59 fix,test: include d.ts-es in ecosystem tests.
• 07fc6d7 chore: bump pnpm
• d8af376 chore: bump deps
• 53dd279 dhore: bump deps
• 2e7eb66 docs: update consumers
• 8a82928 fix,test,ci: Frontify/guideline-blocks ecosystem-test actually catches errors...
• 34bbc1a fix,test,ci: Frontify/brand-sdk ecosystem-test actually catches errors (#189)
• 9fe089b test: ecosystem test for juherr/mobilityid (#188)
• f1ce619 test: ecosystem test for Frontify/brand-sdk (#187)
• Additional commits viewable in compare view

Updates stylelint from 17.8.0 to 17.9.0

Release notes

Sourced from stylelint's releases.

17.9.0

It adds 3 new features. Adding the referenceFiles property to your configuration object makes the no-unknown-animations, no-unknown-custom-media and no-unknown-custom-properties rules more useful.

• Added: experimental referenceFiles to configuration object (#9179) (@​jeddy3).
• Added: experimental abortSignal option to Node.js API for cancellation support (#9213) (@​adalinesimonian).
• Added: maxWarnings to configuration object (#9181) (@​mrginglymus).

Changelog

Sourced from stylelint's changelog.

17.9.0 - 2026-04-23

It adds 3 new features. Adding the referenceFiles property to your configuration object makes the no-unknown-animations, no-unknown-custom-media and no-unknown-custom-properties rules more useful.

• Added: experimental referenceFiles to configuration object (#9179) (@​jeddy3).
• Added: experimental abortSignal option to Node.js API for cancellation support (#9213) (@​adalinesimonian).
• Added: maxWarnings to configuration object (#9181) (@​mrginglymus).

Commits

• cee404b Release 17.9.0 (#9242)
• b0af5ae Bump prettier from 3.8.1 to 3.8.3 (#9240)
• e2c2c43 Bump eslint-plugin-jest from 29.15.1 to 29.15.2 in the eslint group (#9239)
• 68d008e Bump @​csstools/css-syntax-patches-for-csstree from 1.1.2 to 1.1.3 in the csst...
• 5ad7ffb Bump @​csstools/css-calc from 3.1.1 to 3.2.0 in the csstools-parser group (#9237)
• f16ef5e Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#9235)
• a0b3c5a Bump actions/github-script from 8.0.0 to 9.0.0 (#9236)
• fb2efec Add abortSignal option to Node.js API for cancellation support (#9213)
• 84f2c6b Document Netlify hosting badge (#9218)
• 5b45245 Add maxWarnings to configuration object (#9181)
• Additional commits viewable in compare view

Updates typescript-eslint from 8.58.2 to 8.59.0

Release notes

Sourced from typescript-eslint's releases.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.59.0 (2026-04-20)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• ea9ae4f chore(release): publish 8.59.0
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions