Update dependency sanitize-html to v2.17.5

[tryghost-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
sanitize-html (source)	2.17.4 → 2.17.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

apostrophecms/apostrophe (sanitize-html)

v2.17.5

Compare Source

Security

• Added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to crattack for reporting the vulnerability.
• Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to Dipanshu singh for pointing out the issue and contributing the fix.

---

Configuration

📅 Schedule: (in timezone Etc/UTC)

• Branch creation
  • Only on Sunday and Saturday (* * * * 0,6)
  • Between 11:00 PM and 11:59 PM, Monday through Friday (* 23 * * 1-5)
  • Between 12:00 AM and 04:59 AM, Monday through Saturday (* 0-4 * * 1-6)
• Automerge
  • Only on Sunday and Saturday (* * * * 0,6)
  • Between 11:00 PM and 11:59 PM, Monday through Friday (* 23 * * 1-5)
  • Between 12:00 AM and 04:59 AM, Monday through Saturday (* 0-4 * * 1-6)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[tryghost-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

<--- Last few GCs --->

[674:0x20bd6000]    27477 ms: Mark-Compact (reduce) 1022.0 (1037.0) -> 1022.0 (1035.8) MB, pooled: 0 MB, 229.89 / 0.00 ms  (+ 0.0 ms in 0 steps since start of marking, biggest step 0.0 ms, walltime since start of marking 233 ms) (average mu = 0.197, curre[674:0x20bd6000]    27972 ms: Mark-Compact (reduce) 1023.5 (1036.4) -> 1023.3 (1037.1) MB, pooled: 0 MB, 396.90 / 0.01 ms  (+ 2.0 ms in 0 steps since start of marking, biggest step 0.0 ms, walltime since start of marking 420 ms) (average mu = 0.196, curre

<--- JS stacktrace --->

FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

 1: 0xe46bbe node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.3/bin/node]
 2: 0x1243640 v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.3/bin/node]
 3: 0x1243917 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/22.22.3/bin/node]
 4: 0x1472825  [/opt/containerbase/tools/node/22.22.3/bin/node]
 5: 0x148c0b9 v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) [/opt/containerbase/tools/node/22.22.3/bin/node]
 6: 0x14607b8 v8::internal::HeapAllocator::AllocateRawWithLightRetrySlowPath(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) [/opt/containerbase/tools/node/22.22.3/bin/node]
 7: 0x14616e5 v8::internal::HeapAllocator::AllocateRawWithRetryOrFailSlowPath(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) [/opt/containerbase/tools/node/22.22.3/bin/node]
 8: 0x143a2ee v8::internal::Factory::NewFillerObject(int, v8::internal::AllocationAlignment, v8::internal::AllocationType, v8::internal::AllocationOrigin) [/opt/containerbase/tools/node/22.22.3/bin/node]
 9: 0x189cbfc v8::internal::Runtime_AllocateInYoungGeneration(int, unsigned long*, v8::internal::Isolate*) [/opt/containerbase/tools/node/22.22.3/bin/node]
10: 0x1dfcaf6  [/opt/containerbase/tools/node/22.22.3/bin/node]
/usr/local/bin/node: line 18:   674 Aborted                 (core dumped) /opt/containerbase/tools/node/22.22.3/bin/node "$@"

[nx-cloud]

🤖 Nx Cloud AI Fix

Ensure the fix-ci command is configured to always run in your CI pipeline to get automatic fixes in future runs. For more information, please see https://nx.dev/ci/features/self-healing-ci

---

View your CI Pipeline Execution ↗ for commit ed8d908

Command	Status	Duration	Result
nx run @tryghost/admin-x-settings:test:acceptance	✅ Succeeded	10m 25s	View ↗
nx build @tryghost/announcement-bar	✅ Succeeded	<1s	View ↗
nx build @tryghost/activitypub	✅ Succeeded	2s	View ↗
nx build @tryghost/comments-ui	✅ Succeeded	<1s	View ↗
nx build @tryghost/admin-toolbar	✅ Succeeded	1s	View ↗
nx build @tryghost/signup-form	✅ Succeeded	<1s	View ↗
nx build @tryghost/portal	✅ Succeeded	<1s	View ↗
nx build @tryghost/sodo-search	✅ Succeeded	<1s	View ↗
Additional runs (15)	✅ Succeeded	...	View ↗

💡 Verify your cache is correct by running tasks in a sandbox. Read docs ↗

---

☁️ Nx Cloud last updated this comment at 2026-06-13 19:10:12 UTC

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.74%. Comparing base (73d255d) to head (ed8d908).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #28574   +/-   ##
=======================================
  Coverage   73.74%   73.74%           
=======================================
  Files        1541     1541           
  Lines      132382   132382           
  Branches    15858    15859    +1     
=======================================
  Hits        97627    97627           
  Misses      33769    33769           
  Partials      986      986           

Flag	Coverage Δ
admin-tests	54.89% <ø> (ø)
e2e-tests	75.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.