Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency xmldom to v0.5.0 [security] #350

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 15, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
xmldom 0.1.31 -> 0.5.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-21366

Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.5.0 (once it is released)

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

For more information

If you have any questions or comments about this advisory:

  • Open an issue in xmldom/xmldom
  • Email us: send an email to all addresses that are shown by npm owner ls xmldom

Release Notes

xmldom/xmldom (xmldom)

v0.5.0

Compare Source

Commits

Fixes
  • Avoid misinterpretation of malicious XML input - GHSA-h6q6-9hqw-rwfv (CVE-2021-21366)

    • Improve error reporting; throw on duplicate attribute
      BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it's also safer for our users to fail when detecting them.
      It's possible to configure the DOMParser.errorHandler before parsing, to handle those errors differently.

      To accomplish this and also be able to verify it in tests I needed to

      • create a new Error type ParseError and export it
      • Throw ParseError from errorHandler.fatalError and prevent those from being caught in XMLReader.
      • export DOMHandler constructor as __DOMHandler
    • Preserve quotes in DOCTYPE declaration
      Since the only purpose of parsing the DOCTYPE is to be able to restore it when serializing, we decided that it would be best to leave the parsed publicId and systemId as is, including any quotes.
      BREAKING CHANGE: If somebody relies on the actual unquoted values of those ids, they will need to take care of either single or double quotes and the right escaping.
      (Without this change this would not have been possible because the SAX parser already dropped the information about the quotes that have been used in the source.)

      https://www.w3.org/TR/2006/REC-xml11-20060816/#dtd
      https://www.w3.org/TR/2006/REC-xml11-20060816/#IDAX1KS (External Entity Declaration)

  • Fix breaking preprocessors' directives when parsing attributes #171

  • fix(dom): Escape ]]> when serializing CharData #181

  • Switch to (only) MIT license (drop problematic LGPL license option) #178

  • Export DOMException; remove custom assertions; etc. #174

Docs
  • Update MDN links in readme.md #188

v0.4.0

Compare Source

Commits

Fixes
  • BREAKING Restore   behavior from v0.1.27 #67
  • BREAKING Typecheck source param before parsing #113
  • Include documents in package files list #156
  • Preserve doctype with sysid #144
  • Remove ES6 syntax from getElementsByClassName #91
  • Revert "Add lowercase of åäö in entityMap" due to duplicate entries #84
  • fix: Convert all line separators to LF #66
Docs
  • Update CHANGELOG.md through version 0.3.0 #63
  • Update badges #78
  • Add .editorconfig file #104
  • Add note about import #79
  • Modernize & improve the example in readme.md #81
CI
  • Add Stryker Mutator #70
  • Add Stryker action to update dashboard #77
  • Add Node GitHub action workflow #64
  • add & enable eslint #106
  • Use eslint-plugin-es5 to enforce ES5 syntax #107
  • Recover vows tests, drop proof tests #59
  • Add jest tessuite and first tests #114
  • Add jest testsuite with xmltest cases #112
  • Configure Renovate #108
  • Test European HTML entities #86
  • Updated devDependencies
Other
  • Remove files that are not of any use #131, #65, #33

v0.3.0

Compare Source

Commits

v0.2.1

Compare Source

Commits

  • Correct homepage, repository and bugs URLs in package.json.

v0.2.0

Compare Source

Commits


Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Mar 15, 2023
@renovate renovate bot changed the title chore(deps): replace dependency xmldom with @xmldom/xmldom 0.7.5 [security] chore(deps): replace dependency xmldom with @xmldom/xmldom 0.7.5 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-xmldom-vulnerability branch December 8, 2024 18:18
@github-actions github-actions bot locked and limited conversation to collaborators Dec 8, 2024
@renovate renovate bot changed the title chore(deps): replace dependency xmldom with @xmldom/xmldom 0.7.5 [security] - autoclosed chore(deps): replace dependency xmldom with @xmldom/xmldom 0.7.5 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@renovate renovate bot force-pushed the renovate/npm-xmldom-vulnerability branch from a6477e0 to 5f08cfa Compare December 8, 2024 23:44
@renovate renovate bot changed the title chore(deps): replace dependency xmldom with @xmldom/xmldom 0.7.5 [security] chore(deps): update dependency xmldom to v0.5.0 [security] Dec 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants