chore(deps): bump dompurify and handsontable in /compose/neurosynth-frontend

[dependabot]

Bumps dompurify to 3.4.10 and updates ancestor dependency handsontable. These dependencies need to be updated together.

Updates dompurify from 2.5.8 to 3.4.10

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.10

• Refactored codebase for clarity: extracted the public type declarations into types.ts
• Decomposed the three largest sanitizer functions into focused helpers
• Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
• Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
• Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
• Reduced CI cost by running the full three-engine browser suite once per PR
• Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
• Documented the bench and test:happydom scripts in the README
• Completed the Attack Classes & Bypass History wiki page
• Bumped several dependencies where possible

DOMPurify 3.4.9

• Further improved the handling of Trusted Types config options, thanks @​offset
• Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
• Added more test coverage for IN_PLACE and Trusted Types related usage
• Bumped several dependencies where possible
• Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

• Cleaned up the repository root, renamed some and removed unneeded files
• Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
• Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
• Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
• Bumped several dependencies where possible

DOMPurify 3.4.7

• Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
• Removed a problem leading to permanent hook pollution, thanks @​offset
• Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

• Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
• Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
• Added more test coverage for IN_PLACE and general DOM Clobbering attacks
• Bumped several dependencies where possible

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @​lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
• Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

... (truncated)

Commits

• 6ee5716 release: 3.4.10 (#1478)
• 5210247 release: 3.4.9 (#1459)
• bcdd828 release: 3.4.8 (#1439)
• ca30f07 release: 3.4.7 (#1414)
• bb7739e release: 3.4.6 (#1394)
• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• 6f67fd3 Sync/3.4.2 (#1322)
• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates handsontable from 12.4.0 to 17.1.0

Release notes

Sourced from handsontable's releases.

17.1.0

Added

• Added a hit area for dropdown menu and collapsible buttons #12070
• Added rowspan support to the NestedHeaders plugin, allowing column headers to span multiple header rows. #191
• Added the DataProvider plugin and dataProvider table option for server-side row loading and mutations. #12147
• Added XLSX export support to the ExportFile plugin #12166
• Added build weight comparison tables to the Modules guide, showing the minified and gzip size added by each optional module when imported on top of handsontable/base. #12262
• Added Notification plugin for non-blocking toast notifications. #12299
• Added long-press gesture detection on touch devices to open the context menu. #12306
• Added dedicated paginationButton* theme tokens so pagination navigation button colors can be customized independently via the theme builder. #12317
• Added dedicated paginationButton* theme tokens so pagination navigation button colors can be customized independently for default, hover, focus, and disabled states via the theme builder. #12404
• Added rowspan support to the NestedHeaders plugin, allowing column headers to span multiple header rows. #191

Changed

• Added a frame-based e2e test wait helper and replaced selected hook test sleeps. #12161
• Improve the rendering performance #12189
• Change the columnHeaders property name to colHeaders in the exportFile plugin #12224
• Improve rendering performance for fast scrollbar movements #12235
• Angular: Modernized the Angular wrapper to align with Angular 17–19, simplify setup, reduce dependencies, and clean up tooling. #12451

Fixed

• Fixed an issue where the Nested Rows plugin was disabled after calling updateSettings with an empty data array. #10556
• Fixed setSourceDataAtCell() updating parent rows instead of nested child rows when nestedRows is enabled. #10657
• Fixed an issue where the stretchH: 'last' option would ignore the defined column width when the viewport was too narrow, causing the last column to shrink to 0px. #11761
• Fixed a stack overflow error when pasting large datasets (50,000+ rows) by optimizing array operations in the HTML table parser. #11784
• Fixed incorrect JSDoc type annotations for the modifyAutofillRange hook parameters. The parameters entireArea and startArea are now correctly documented as number[] (a flat 4-element array) instead of the generic Array type, and the @returns type annotation has been added. #11862
• Fixed filter by value input performance degradation when searchMode: apply option is enabled. #12104
• Fixed getCellMetaAtRow() to always return cell metadata in physical column order. #12109
• Fixed the modifyAutofillRange hook type signature to match runtime tuple arguments and return value #12113
• Fixed incorrect parsing of comma-grouped values in numeric cells #12114
• Fixed comment editor positioning for merged cells #12115
• Fixed the Filters plugin incorrectly applying filter conditions after columns were moved with the ManualColumnMove plugin. #11832
• Fixed column resizing being misaligned and calculating incorrect widths when the grid container has a CSS transform: scale() applied. #11838
• Fixed the stretchH: 'last' option ignoring the defined column width and shrinking the last column to 0px when the viewport was too narrow. #11761
• Fixed HyperFormula errors when MultiSelect cells store array values. #12135
• Fixed setSourceDataAtCell() updating a parent row instead of the intended nested child row when the nestedRows option was enabled. #10657
• Fixed setDataAtRowProp() incorrectly canceling an active editor session when the programmatic update targeted a different cell in the same row. #4305
• Fix ThemeBuilder false unknown token warning on initialization #12146
• Prevent after scroll hooks from firing when axis position is unchanged #12151
• Fixed six regressions related to rowspans in nested column headers. #12152
• Fixed undo restore for mixed checkbox multi-selection delete. #12153
• Fixed Ctrl+A selecting the entire grid instead of the comment text when the comment textarea was focused. #12193
• Fixed columnHeaderHeight overriding the actual content height, causing overlay THEAD misalignment when header text wraps. #12198
• Fixed selected fixed-column header alignment with data cells for fixedColumnsStart #12202
• Fixed autofill over hidden columns when Formulas is enabled and hiddenColumns.copyPasteEnabled is false #12203
• Fixed a one-pixel horizontal misalignment of the left pagination caret in the Pagination plugin. #2791
• Fixed nested headers crash when sorting with disabled current highlight. #12211
• Improved server-side data documentation structure and fixed disjunctionWithExtraCondition guard fallback in server filter utility examples. #12241
• Fixed framework wrappers crashing when init-only settings (renderAllRows, renderAllColumns, layoutDirection, ariaTags) changed after initialization. #12242
• Fixed an issue where currentRowClassName and currentColClassName could not be changed dynamically using updateSettings. #12247

... (truncated)

Changelog

Sourced from handsontable's changelog.

[17.1.0] - 2026-05-19

Added

• Added a hit area for dropdown menu and collapsible buttons #12070
• Added rowspan support to the NestedHeaders plugin, allowing column headers to span multiple header rows. #191
• Added the DataProvider plugin and dataProvider table option for server-side row loading and mutations. #12147
• Added XLSX export support to the ExportFile plugin #12166
• Added build weight comparison tables to the Modules guide, showing the minified and gzip size added by each optional module when imported on top of handsontable/base. #12262
• Added Notification plugin for non-blocking toast notifications. #12299
• Added long-press gesture detection on touch devices to open the context menu. #12306
• Added dedicated paginationButton* theme tokens so pagination navigation button colors can be customized independently via the theme builder. #12317
• Added dedicated paginationButton* theme tokens so pagination navigation button colors can be customized independently for default, hover, focus, and disabled states via the theme builder. #12404
• Added rowspan support to the NestedHeaders plugin, allowing column headers to span multiple header rows. #191

Changed

• Added a frame-based e2e test wait helper and replaced selected hook test sleeps. #12161
• Improve the rendering performance #12189
• Change the columnHeaders property name to colHeaders in the exportFile plugin #12224
• Improve rendering performance for fast scrollbar movements #12235
• Angular: Modernized the Angular wrapper to align with Angular 17–19, simplify setup, reduce dependencies, and clean up tooling. #12451

Fixed

• Fixed an issue where the Nested Rows plugin was disabled after calling updateSettings with an empty data array. #10556
• Fixed setSourceDataAtCell() updating parent rows instead of nested child rows when nestedRows is enabled. #10657
• Fixed an issue where the stretchH: 'last' option would ignore the defined column width when the viewport was too narrow, causing the last column to shrink to 0px. #11761
• Fixed a stack overflow error when pasting large datasets (50,000+ rows) by optimizing array operations in the HTML table parser. #11784
• Fixed incorrect JSDoc type annotations for the modifyAutofillRange hook parameters. The parameters entireArea and startArea are now correctly documented as number[] (a flat 4-element array) instead of the generic Array type, and the @returns type annotation has been added. #11862
• Fixed filter by value input performance degradation when searchMode: apply option is enabled. #12104
• Fixed getCellMetaAtRow() to always return cell metadata in physical column order. #12109
• Fixed the modifyAutofillRange hook type signature to match runtime tuple arguments and return value #12113
• Fixed incorrect parsing of comma-grouped values in numeric cells #12114
• Fixed comment editor positioning for merged cells #12115
• Fixed the Filters plugin incorrectly applying filter conditions after columns were moved with the ManualColumnMove plugin. #11832
• Fixed column resizing being misaligned and calculating incorrect widths when the grid container has a CSS transform: scale() applied. #11838
• Fixed the stretchH: 'last' option ignoring the defined column width and shrinking the last column to 0px when the viewport was too narrow. #11761
• Fixed HyperFormula errors when MultiSelect cells store array values. #12135
• Fixed setSourceDataAtCell() updating a parent row instead of the intended nested child row when the nestedRows option was enabled. #10657
• Fixed setDataAtRowProp() incorrectly canceling an active editor session when the programmatic update targeted a different cell in the same row. #4305
• Fix ThemeBuilder false unknown token warning on initialization #12146
• Prevent after scroll hooks from firing when axis position is unchanged #12151
• Fixed six regressions related to rowspans in nested column headers. #12152
• Fixed undo restore for mixed checkbox multi-selection delete. #12153
• Fixed Ctrl+A selecting the entire grid instead of the comment text when the comment textarea was focused. #12193
• Fixed columnHeaderHeight overriding the actual content height, causing overlay THEAD misalignment when header text wraps. #12198
• Fixed selected fixed-column header alignment with data cells for fixedColumnsStart #12202
• Fixed autofill over hidden columns when Formulas is enabled and hiddenColumns.copyPasteEnabled is false #12203
• Fixed a one-pixel horizontal misalignment of the left pagination caret in the Pagination plugin. #2791
• Fixed nested headers crash when sorting with disabled current highlight. #12211
• Improved server-side data documentation structure and fixed disjunctionWithExtraCondition guard fallback in server filter utility examples. #12241
• Fixed framework wrappers crashing when init-only settings (renderAllRows, renderAllColumns, layoutDirection, ariaTags) changed after initialization. #12242

... (truncated)

Commits

• 8d5c532 Merge remote-tracking branch 'origin/release/17.1.0'
• 6227bff Fix: disable persist-credentials in stable-merge checkout so App token is use...
• 848315b Fix: use client-id instead of deprecated app-id for create-github-app-token v3
• 4781565 Fix stable-prepare CHANGELOG step to be idempotent on re-run
• 875c77f Fix setVersion crash when version is already set (idempotent re-run)
• 854e3fc Bump create-github-app-token to v3.2.0
• 62d29a9 Bump @​playwright/test to ~1.60.0 and regenerate pnpm-lock.yaml to resolve con...
• 9f19d5f Regenerate pnpm-lock.yaml to resolve conflict with develop
• de4f2e6 Fix merge conflicts with develop branch
• 5ed236e 17.1.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for handsontable since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.