chore(deps): bump dompurify and http-proxy-middleware (security)

[rusackas]

SUMMARY

Lockfile-only transitive bumps in superset-frontend to clear open Dependabot alerts, done via npm update --package-lock-only (no package.json changes, bumped within existing semver ranges):

• dompurify 3.4.7 → 3.4.11 — the runtime HTML/XSS sanitizer. Clears the medium (#1374) and two low alerts, and dedupes the nested 3.4.11 copies that were already in the tree.
• http-proxy-middleware 2.0.9 → 2.0.10 (dev) — clears #1381.

Why not the others (yet)

I looked at the rest of the npm/yarn security alerts and intentionally left them out of this PR:

• esbuild (superset-frontend, low/dev) — held at 0.27.x by storybook (its range doesn't allow 0.28); bumping needs a forced override that risks breaking Storybook.
• tar (superset-frontend, medium/dev) — pinned exactly to 7.5.11 by lerna; needs a scoped override of a build tool's pin.
• js-yaml (multiple, medium) — most flagged copies are the 3.x line (a different major, not bumpable to the 4.2.0 fix) or 4.1.1 copies pinned by parents; needs overrides.
• @babel/core (low/dev) — only bumps with large unrelated lockfile churn.
• ws (docs/yarn.lock, "high") — a docs-site build/dev-server dep; the ^7.x and ^8.x consumers need different fixed versions and yarn 1 can't scope that cleanly without risk. Low real exposure for a static docs build.

Happy to do follow-ups for any of those if we decide the override/churn tradeoff is worth it.

TESTING INSTRUCTIONS

CI (npm ci validates the lockfile). No source changes.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR).

[bito-code-review]

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at evan@preset.io.

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	7005aa8
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a39837849d9c70008160a5a
😎 Deploy Preview	https://deploy-preview-41289--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.34%. Comparing base (27a6525) to head (7005aa8).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #41289      +/-   ##
==========================================
- Coverage   64.34%   64.34%   -0.01%     
==========================================
  Files        2653     2653              
  Lines      145015   145015              
  Branches    33459    33459              
==========================================
- Hits        93310    93304       -6     
- Misses      50022    50028       +6     
  Partials     1683     1683              

Flag	Coverage Δ
javascript	68.55% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.