fix(deps): update dependency isomorphic-dompurify to v3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
isomorphic-dompurify	2.36.0 → 3.0.0

---

Release Notes

kkomelin/isomorphic-dompurify (isomorphic-dompurify)

v3.0.0: : ESM Support + Memory Leak Fix for Long-Running Server Processes

Compare Source

isomorphic-dompurify v3.0.0

ESM Support

The library now ships proper ESM alongside CommonJS. Both import and require work out of the box with correct module resolution.

// ESM — now works natively
import DOMPurify, { sanitize } from "isomorphic-dompurify";

// CJS — still works
const DOMPurify = require("isomorphic-dompurify");

Memory Leak Fix for Long-Running Server Processes

New clearWindow() export that closes the internal jsdom window and creates a fresh one, preventing unbounded memory growth and progressive slowdown in long-running Node.js processes (#​368).

import { sanitize, clearWindow } from "isomorphic-dompurify";

// Call clearWindow() when you want to release accumulated DOM state,
// e.g. periodically, after a batch, or per-request in a server:
app.use((req, res, next) => {
  res.on("finish", () => clearWindow());
  next();
});

Note: clearWindow() is a no-op in the browser build (no jsdom to manage). Any hooks or config set via addHook/setConfig will need to be re-applied after calling it.

Breaking Changes

• Named exports are now available. sanitize, addHook, removeHook, removeHooks, removeAllHooks, setConfig, clearConfig, isValidAttribute, isSupported, version, and removed are all exported directly.
• global.DOMPurify singleton removed. The library no longer writes to global.DOMPurify. Module caching provides singleton behavior in both ESM and CJS. This also fixes a security concern where malicious code could preempt the global before the module loaded (#​324).
• Build output moved to dist/. Entry points are now dist/index.js (CJS), dist/index.mjs (ESM), dist/browser.js (CJS), dist/browser.mjs (ESM). The exports map handles this automatically — no changes needed for consumers using standard imports.
• Type definitions are auto-generated. The hand-written index.d.ts using export = DOMPurify is replaced by generated .d.ts and .d.mts files with proper export default and named exports.
• Node.js version constraint tightened. Now requires ^20.19.0 || ^22.12.0 || >=24.0.0 to match jsdom 28's requirements. Node 21.x, 23.x, and 22.0–22.11 are no longer supported.

Issues Fixed

• #​368 — Memory leak and progressive slowdown in long-running Node.js processes
• #​163 — ESM support
• #​324 — Security concern with global.DOMPurify
• #​353 — lru-cache ESM resolution errors in Nuxt/Nitro builds
• #​350 — Build error with Astro + Cloudflare adapter
• #​203 — Build error in Angular Universal

Issues Mitigated

• #​330, #​349 — createWindow TypeError in Next.js 15 (jsdom is now external, reducing bundler conflicts)
• #​356 — webidl-conversions error in Node.js 22 + Next.js
• #​54 — canvas resolution error in serverless environments

Internal Changes

• Source rewritten in TypeScript
• Build toolchain switched from terser to tsup (dual CJS/ESM output via esbuild)
• Linting added via Biome with lefthook pre-commit hooks and CI enforcement
• CI updated to actions/checkout@v4, actions/setup-node@v4, pnpm/action-setup@v4
• Tests converted to TypeScript with expanded coverage of the wrapper API
• jsdom updated to 28.1.0
• Validated against Astro, Next.js, Nuxt, React, and SvelteKit via isomorphic-dompurify-playgrounds

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Test report for scratch-svg-renderer

  1 files   60 suites   0s ⏱️
124 tests 124 ✅ 0 💤 0 ❌
276 runs  275 ✅ 1 💤 0 ❌

Results for commit 89c13ba.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for task-herder

28 tests   28 ✅  0s ⏱️
 7 suites   0 💤
 1 files     0 ❌

Results for commit 89c13ba.

[github-actions]

Test report for task-herder

28 tests   28 ✅  0s ⏱️
 7 suites   0 💤
 1 files     0 ❌

Results for commit 89c13ba.

[github-actions]

Test report for scratch-render

  1 files   55 suites   2s ⏱️
209 tests 209 ✅ 0 💤 0 ❌
279 runs  279 ✅ 0 💤 0 ❌

Results for commit 89c13ba.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for scratch-gui

  2 files  ±0   62 suites  ±0   8m 48s ⏱️ -24s
398 tests ±0  390 ✅ ±0  8 💤 ±0  0 ❌ ±0 
416 runs  ±0  408 ✅ ±0  8 💤 ±0  0 ❌ ±0 

Results for commit 89c13ba. ± Comparison against base commit d6da8b3.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for scratch-vm

    1 files  ±0    763 suites  ±0   1m 49s ⏱️ +5s
1 666 tests ±0  1 666 ✅ ±0   0 💤 ±0  0 ❌ ±0 
4 855 runs  ±0  4 825 ✅ ±0  30 💤 ±0  0 ❌ ±0 

Results for commit 89c13ba. ± Comparison against base commit d6da8b3.

♻️ This comment has been updated with latest results.