A security check with Owasp Zap is flagging /js/purify.js (version 3.0.3) as vulnerable - with a high risk level - and recommends an upgrade to the latest version (currently 3.2.6).
Is there any reason for not upgrading, or I can go ahead and do it?
Yes, of course you may update yourself.
I see Purify.js has been upgraded in v2025.11.
Another js library is now being flagged (even though with medium risk level): jquery-ui v1.13.1.
The latest version is 1.14.1, but there are a few breaking changes added in 1.14.0:
https://blog.jqueryui.com/2024/08/jquery-ui-1-14-0-released/
Is it safe to upgrade, or changes are required?
It should be safe to replace it because the link you posted says:
jQuery UI 1.14 finally drops support for all versions of Internet Explorer & Edge Legacy .
This release has been tested against jQuery 1.12.4, 2.2.4, 3.6.4 & 3.7.1. Since jQuery follows semver, newer jQuery <4 versions within each major version line should generally work as well.
The version only drops support for older browser. You don’t need to replace if you don’t mind. If you still want to replace, note that, according to the source, PHPMaker only uses:
Includes: widget.js, data.js, scroll-parent.js, widgets/draggable.js, widgets/mouse.js
You better use the Download builder.