chore(deps): bump dompurify from 3.3.1 to 3.3.2#31
Open
dependabot[bot] wants to merge 14 commits into
Open
Conversation
Add plugin-loader package that reads plugins.json, validates manifests, and exposes hooks for api-server (models, routes, middleware, migrations) and admin-server (pages, menu items, widget definitions). Integration points: - api-server: db models, middleware (5 positions), routes, init/migrate database scripts - admin-server: dynamic sidenav items, catch-all plugin pages, widget definition merging, next.config transpilation - widget-settings: merges plugin widget definitions into core Safety: broken/missing plugins are logged and skipped, never crash the server.
Remove hardcoded test-resources admin pages and let the catch-all plugin route handle them. Add widget preview and server external packages support to the catch-all route so plugin widgets get the same features as core widgets.
The plugin widget route uses [...widgetPath] catch-all, so the widget ID isn't available in router.query.id. Extract the ID from path segments and pass it as idOverride to useWidgetConfig, useWidgetPreview, and WidgetPublish so plugin widgets load and publish correctly.
Replace memoryStorage with databaseStorage backed by Sequelize models for authorization codes, refresh tokens, and tasks. Access tokens already used the database. Adds migration for the three new tables. Also fixes a bug in token.js where non-existent memoryStorage.clients was called instead of db.Client.
…ffinity Add USE_KUBERNETES_CRONJOBS env var to disable in-process cron scheduling and offload to a dedicated K8s CronJob that runs every configurable N minutes, executing any application crons due within that window. Add configurable pod anti-affinity (preferred/required) scoped to the current namespace to spread replicas across nodes.
Move podAntiAffinity config from api-specific to global.podAntiAffinity with enabled/mode settings. Add reusable helper template and apply to all 5 deployments (api, admin, auth, cms, image). Each deployment uses its own app label, scoped to the current namespace.
Replace build-time plugin imports with runtime loading via IIFE bundles. Plugins are now served by the api-server and loaded via <script> tags, enabling add/remove without rebuilding Docker images. - Convert plugin-loader to TypeScript with manifest validation - Add API endpoints: GET /registry, POST /reload (auth-protected), GET /bundle - Add PluginComponentLoader React component for runtime bundle loading - Simplify next.config.js by removing ~190 lines of build-time plugin code - Extract plugin loading from Server.js into plugin-loader-init.js - Remove plugin volume mounts from docker-compose.yml (moved to override) - Remove metkoos as build-time dependency (runtime-only now) - Add path traversal protection and Content-Type headers on bundle endpoint - Reset plugins.json to empty default (deployment-specific config)
Add global.autoscaling values with per-service overrides for HPA configuration including stabilizationWindowSeconds (cooldown) and scaling policies. When autoscaling is enabled, replicas are omitted from Deployments so the HPA manages pod count.
- Add PLUGIN_JSON_OVERRIDE env var support to plugin-loader for K8s ConfigMap injection - Extract _loadEntries() method to avoid duplication between env var and file-based loading - Add Helm plugins section (values.yaml) with enabled, nodeImage, installPath, npmrcSecret, items - Add plugins-configmap.yaml template rendering plugin config as ConfigMap - Add init container to API and Admin deployments that npm installs plugins into shared volume - Add NODE_PATH + PLUGIN_JSON_OVERRIDE env vars to API/Admin containers and init-db-ready - Support version pinning per plugin and private registries via npmrc secret - Add explicit plugin-loader tsc build step in Dockerfile builder stage - Ship plugin-loader dist/ in git (removed from .gitignore) - Add 4 new tests for PLUGIN_JSON_OVERRIDE (41 total, all passing)
feat(plugins): runtime IIFE loading with API endpoints
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.3.1 to 3.3.2. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.1...3.3.2) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.3.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/dompurify-3.3.2
branch
from
March 23, 2026 09:28
d08834a to
140941f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps dompurify from 3.3.1 to 3.3.2.
Release notes
Sourced from dompurify's releases.
Commits
5e56114Getting 3.x branch ready for 3.3.2 release (#1208)e8c95f4fix: Fixed the broken package-lock.json9636037Update package-lock.json5cad4ceGetting 3.x branch ready for 3.3.2 releas (#1205)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.