Skip to content

CLDR-19055 site:(deps): Bump sitemap from 9.0.0 to 9.0.1 in /docs/site#5418

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/docs/site/sitemap-9.0.1
Open

CLDR-19055 site:(deps): Bump sitemap from 9.0.0 to 9.0.1 in /docs/site#5418
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/docs/site/sitemap-9.0.1

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 1, 2026

Bumps sitemap from 9.0.0 to 9.0.1.

Release notes

Sourced from sitemap's releases.

9.0.1 — Security Patch

Security Fixes

  • BB-01: Fix XML injection via unescaped xslUrl in stylesheet processing instruction
  • BB-02: Enforce 50,000 URL hard limit in XMLToSitemapItemStream parser
  • BB-03: Cap parser error array at 100 entries to prevent memory DoS
  • BB-04: Reject absolute destinationDir paths in simpleSitemapAndIndex to prevent arbitrary file writes
  • BB-05: parseSitemapIndex now destroys source and parser streams immediately when maxEntries limit is exceeded
  • Many thanks to @​maru1009 For the report
Changelog

Sourced from sitemap's changelog.

9.0.1 — Security Patch

  • BB-01: Fix XML injection via unescaped xslUrl in stylesheet processing instruction — special characters (&, ", <, >) in the XSL URL are now escaped before being interpolated into the <?xml-stylesheet?> processing instruction
  • BB-02: Enforce 50,000 URL hard limit in XMLToSitemapItemStream — the parser now stops emitting items and emits an error when the limit is exceeded, rather than merely logging a warning
  • BB-03: Cap parser error array at 100 entries to prevent memory DoS — XMLToSitemapItemStream now tracks a separate errorCount and stops appending to the errors array beyond LIMITS.MAX_PARSER_ERRORS
  • BB-04: Reject absolute destinationDir paths in simpleSitemapAndIndex to prevent arbitrary file writes — passing an absolute path (e.g. /tmp/sitemaps) now throws immediately with a descriptive error
  • BB-05: parseSitemapIndex now destroys source and parser streams immediately when the maxEntries limit is exceeded, preventing unbounded memory consumption from large sitemap index files
Commits
  • 244f256 Merge pull request #477 from ekalinin/sec-fixes
  • 71718f3 chore: bump version to 9.0.1 and add changelog entry
  • d19d4c9 fix: destroy streams immediately on maxEntries breach in parseSitemapIndex (B...
  • 7ed774e fix: reject absolute destinationDir paths to prevent arbitrary write (BB-04)
  • dde5c5e fix: cap parser error collection to prevent memory DoS (BB-03)
  • 81df466 fix: enforce 50k URL limit in XMLToSitemapItemStream parser (BB-02)
  • 8a8e0b8 fix: prevent XML injection via unvalidated xslUrl in SitemapIndexStream
  • 723d8e7 Merge pull request #472 from ekalinin/dependabot/npm_and_yarn/express-5.2.0
  • b5138f1 Merge pull request #470 from ekalinin/dependabot/npm_and_yarn/glob-10.5.0
  • 52d9477 build(deps-dev): bump express from 5.1.0 to 5.2.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
CLDR-19055 site:(deps): Bump sitemap from 9.0.0 to 9.0.1 in /docs/site
77e666d 
Bumps [sitemap](https://github.com/ekalinin/sitemap.js) from 9.0.0 to 9.0.1.
- [Release notes](https://github.com/ekalinin/sitemap.js/releases)
- [Changelog](https://github.com/ekalinin/sitemap.js/blob/master/CHANGELOG.md)
- [Commits](ekalinin/sitemap.js@9.0.0...9.0.1)

---
updated-dependencies:
- dependency-name: sitemap
  dependency-version: 9.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 1, 2026
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Mar 1, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 cldr-next 77e666d Commit Preview URL

Branch Preview URL		 Mar 01 2026, 09:00 AM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@srl295 srl295

@btangmu btangmu

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@srl295 @btangmu