chore(deps): update dependency xmldom to v0.5.0 [security] #350
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.1.31
->0.5.0
GitHub Vulnerability Alerts
CVE-2021-21366
Impact
xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.
This may lead to unexpected syntactic changes during XML processing in some downstream applications.
Patches
Update to 0.5.0 (once it is released)
Workarounds
Downstream applications can validate the input and reject the maliciously crafted documents.
References
Similar to this one reported on the Go standard library:
For more information
If you have any questions or comments about this advisory:
xmldom/xmldom
npm owner ls xmldom
Release Notes
xmldom/xmldom (xmldom)
v0.5.0
Compare Source
Commits
Fixes
Avoid misinterpretation of malicious XML input -
GHSA-h6q6-9hqw-rwfv
(CVE-2021-21366)Improve error reporting; throw on duplicate attribute
BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it's also safer for our users to fail when detecting them.
It's possible to configure the
DOMParser.errorHandler
before parsing, to handle those errors differently.To accomplish this and also be able to verify it in tests I needed to
Error
typeParseError
and export itParseError
fromerrorHandler.fatalError
and prevent those from being caught inXMLReader
.DOMHandler
constructor as__DOMHandler
Preserve quotes in DOCTYPE declaration
Since the only purpose of parsing the DOCTYPE is to be able to restore it when serializing, we decided that it would be best to leave the parsed
publicId
andsystemId
as is, including any quotes.BREAKING CHANGE: If somebody relies on the actual unquoted values of those ids, they will need to take care of either single or double quotes and the right escaping.
(Without this change this would not have been possible because the SAX parser already dropped the information about the quotes that have been used in the source.)
https://www.w3.org/TR/2006/REC-xml11-20060816/#dtd
https://www.w3.org/TR/2006/REC-xml11-20060816/#IDAX1KS (External Entity Declaration)
Fix breaking preprocessors' directives when parsing attributes
#171
fix(dom): Escape
]]>
when serializing CharData#181
Switch to (only) MIT license (drop problematic LGPL license option)
#178
Export DOMException; remove custom assertions; etc.
#174
Docs
readme.md
#188
v0.4.0
Compare Source
Commits
Fixes
behavior from v0.1.27#67
#113
#156
#144
#91
#84
#66
Docs
#63
#78
#104
#79
#81
CI
#70
#77
#64
#106
#107
vows
tests, dropproof
tests#59
#114
xmltest
cases#112
#108
#86
Other
#131
,#65
,#33
v0.3.0
Compare Source
Commits
component.json
(deprecated package manager https://github.com/componentjs/guide)lib
subdirectory.files
entry inpackage.json
and remove use of.npmignore
.Document.getElementsByClassName
.Node
to the list of exportsentityMap
.v0.2.1
Compare Source
Commits
homepage
,repository
andbugs
URLs inpackage.json
.v0.2.0
Compare Source
Commits
[email protected]
by the original authors.Object.create
check from the_extends
method ofdom.js
that added a__proto__
property ().__proto__
propertypackage.json
Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.