hast-util-sanitize is a utility for sanitizing hast trees, making potentially dangerous user content safe to use by removing or cleaning unsafe elements and properties. It defaults to GitHub-style sanitization, and is useful when you need to safely render user-provided content as HTML, optionally with configurable schemas.
Project status
- Maintenance status: The repository appears quiet/in maintenance mode since the last upstream push was 2024-10-25, which is long before today (2026-06-11), and the most recent updates are type and tooling focused rather than feature work.
- Update cadence: Updates are roughly annual in the recent history (for example, 5.0.1 on 2023-10-26, then 5.0.2 on 2024-10-25), but there has been no new activity in ~19 months.
AI summary generated 2026-06-11
Recent updates
5.0.2
2024-10-25Release 5.0.2 primarily updates TypeScript declaration generation (declaration maps) and refactors JSDoc typing to use `@import` syntax. The runtime code changes shown in the diff are mostly internal variable renames and test/tooling adjustments, with no documented API change.
Features5.0.1
2023-10-26hast-util-sanitize 5.0.1 tightens its default sanitization schema and adjusts how tag-specific attribute rules interact with the generic '*' rules. The release notes call out removing non-working rel and target attributes, plus a fix related to allowing '*' attributes even when tag-specific rules also exist.
Breaking5.0.0
2023-08-03Release 5.0.0 updates hast-util-sanitize for newer ecosystem versions and aligns its default sanitization behavior with GitHub. The release notes explicitly mention a Node.js 16 requirement, switching to `exports`, and schema-related fixes including doctype handling. The code diff shows a much larger schema and API refactor than what is described in the notes.
Breaking4.1.0
2023-01-03hast-util-sanitize 4.1.0 adds support for using regular expressions in the sanitization schema to allow matching property values. The release also includes documentation and type-focused updates (README and generated type definitions), but the runtime change centers on schema value matching.
Features4.0.0
2021-04-30Release 4.0.0 moves the package to ESM and adds JSDoc-based typing support. The implementation was substantially refactored around ESM exports and a new in-code default schema export.
BreakingFeatures3.0.2
2020-11-23Release 3.0.2 fixes an issue where `ancestors` enforcement did not work correctly when sanitizing a `root` node. The code change is small and localized to ancestor-checking logic, and the release includes new tests covering both normal traversal and `root` traversal.
3.0.1
2020-11-03Release 3.0.1 is primarily described as an internal refactor intended to improve bundle size, plus a documentation update adding an example for syntax highlighting related to allowed class values. The actual diff shows more than just refactoring and docs, including sanitizer implementation changes, TypeScript definition tweaks, dependency version bumps, and CI/release pipeline changes.
Features3.0.0
2020-07-20Release 3.0.0 primarily introduces TypeScript typings for `hast-util-sanitize`. In addition to adding `types/index.d.ts`, the package metadata and test setup were updated to publish and validate the new typings.
BreakingFeatures2.0.3
2020-06-24Release 2.0.3 primarily adjusts the sanitization schema to allow `li` elements to appear outside of `ol`/`ul` containers. The code diff shows this behavior change implemented via updates to the tag ancestor rules in `lib/github.json`, along with various tooling/test/lint-related edits.
2.0.2
2020-02-28Release 2.0.2 primarily updates project metadata and documentation, adds a GitHub Sponsors-style funding entry to package.json, and expands the README with a security section. The provided diff also includes test coverage for a whitespace-prefixed javascript: payload and several dependency version range changes in package.json.