chore: switch from isomorphic-dompurify to dompurify

[lifeiscontent]

Description

This PR replaces isomorphic-dompurify with the canonical dompurify package in shared utils:

• Updated packages/utils/src/string.ts to import DOMPurify from dompurify with identical sanitize options.
• Swapped the dependency in packages/utils/package.json to dompurify.
• Removed the extra wrapper dependency from apps/web/package.json (where applicable).
• Cleaned up and deduped pnpm-lock.yaml to a single dompurify version.

Why:

• This is a front-end only application; we do not run code on the server. An isomorphic wrapper provides no benefit for our setup.
• Reduce dependency surface area and avoid an extra wrapper that doesn’t add runtime value for our use-case.
• Align with existing usage of dompurify elsewhere for consistency.
• Slightly smaller installs/bundles due to deduplication and fewer transitive deps.

Impact:

• No functional changes expected. The API remains the same (DOMPurify.sanitize) and the allowed tags configuration is unchanged.
• Behavior remains browser-only, consistent with how these utils are consumed.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Improvement (change that would cause existing functionality to not work as expected)
• Code refactoring
• Performance improvements
• Documentation update

Screenshots and Media (if applicable)

N/A

Test Scenarios

Functional:

• Verified sanitizeHTML, stripAndTruncateHTML, and isEmptyHtmlString still remove tags and trim text as before.
• Manually tested user-generated HTML in rich text inputs (comments/descriptions) to ensure:
  • Valid content renders unchanged.
  • Malicious payloads (e.g., <img src=x onerror=alert(1)>, inline event handlers, script tags) are removed consistently.

Build and Type Checks:

• pnpm -w i
• pnpm -w -r check:types
• pnpm -w -r check:lint
• pnpm -w -r build

Regression/Parity:

• Compared sanitized outputs before/after for representative samples to confirm parity.
• Confirmed workspace resolves a single dompurify version in pnpm-lock.yaml.

Optional:

• pnpm why dompurify to verify deduplication and that isomorphic-dompurify is no longer present.

References

• Ticket: WEB-5196
• DOMPurify: https://github.com/cure53/DOMPurify

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/switch-dompurify-package

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[makeplane]

Linked to Plane Work Item(s)

References

• [WEB-5196] switch from isomorphic-dompurify to dompurify

This comment was auto-generated by Plane