Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency xmldom #45

Merged
merged 1 commit into from Jun 10, 2022
Merged

Update dependency xmldom #45

merged 1 commit into from Jun 10, 2022

Conversation

karfau
Copy link
Contributor

@karfau karfau commented Dec 26, 2021

Switching from package xmldom to @xmldom/xmldom, which resolves the security issue present in latest xmldom version 0.6.0:
GHSA-5fg8-2547-mr8q

The reason is that the maintainers were forced to switch to a scoped package since 0.7.0:
xmldom/xmldom#271

  • I only changed all occurences of xmldom, I didn't execute npm install or any other scripts.
  • Since there is no package-lock.json, I have no idea what version of xmldom people were actually using (depends on the time of running npm install), so I'm just assuming everybody was using 0.6.0
  • fixes Please move from xmldom to @xmldom/xmldom #41

I'm one of the xmldom maintainers. Don't hesitate to ask me questions about it.

Changes in xmldom since 0.6.0 ## [0.8.0](https://github.com/xmldom/xmldom/compare/0.7.5...0.8.0)

Fixed

  • Normalize all line endings according to XML specs 1.0 and 1.1
    BREAKING CHANGE: Certain combination of line break characters are normalized to a single \n before parsing takes place and will no longer be preserved.
  • XMLSerializer: Preserve whitespace character references #284 / #310
    BREAKING CHANGE: If you relied on the not spec compliant preservation of literal \t, \n or \r in attribute values.
    To preserve those you will have to create XML that instead contains the correct numerical (or hexadecimal) equivalent (e.g. 	, 
, 
).
  • Drop deprecated exports DOMImplementation and XMLSerializer from lib/dom-parser.js #53 / #309
    BREAKING CHANGE: Use the one provided by the main package export.
  • dom: Remove all links as part of removeChild #343 / #355

Chore

  • ci: Restore latest tested node version to 16.x #325
  • ci: Split test and lint steps into jobs #111 / #304
  • Pinned and updated devDependencies

Thank you @marrus-sh, @victorandree, @mdierolf, @tsabbay, @fatihpense for your contributions

0.7.5

Commits

Fixes:

0.7.4

Commits

Fixes:

  • Restore ability to parse __prototype__ attributes #315
    Thank you @dsimsonOMF

0.7.3

Commits

Fixes:

  • Add doctype when parsing from string #277 / #301
  • Correct typo in error message #294
    Thank you @rrthomas

Refactor:

  • Improve exports & require statements, new main package entry #233

Docs:

  • Fix Stryker badge #298
  • Fix link to help-wanted issues #299

Chore:

  • Execute stryker:dry-run on branches #302
  • Fix stryker config #300
  • Split test and lint scripts #297
  • Switch to stryker dashboard owned by org #292

0.7.2

Commits

Fixes:

  • Types: Add index.d.ts to packaged files #288
    Thank you @forty

0.7.1

Commits

Fixes:

  • Types: Copy types from DefinitelyTyped #283
    Thank you @kachkaev

Chore:

  • package.json: remove author, maintainers, etc. #279

0.7.0

Commits

Due to #271 this version was published as

  • unscoped xmldom package to github (git tags 0.7.0 and 0.7.0+unscoped)
  • scoped @xmldom/xmldom package to npm (git tag 0.7.0+scoped)
    For more details look at #278

Fixes:

  • Security: Misinterpretation of malicious XML input CVE-2021-32796
  • Implement Document.getElementsByClassName as specified #213, thank you @ChALkeR
  • Inherit namespace prefix from parent when required #268
  • Handle whitespace in closing tags #267
  • Update DOMImplementation according to recent specs #210
    BREAKING CHANGE: Only if you "passed features to be marked as available as a constructor arguments" and expected it to "magically work".
  • No longer serializes any namespaces with an empty URI #244
    (related to #168 released in 0.6.0)
    BREAKING CHANGE: Only if you rely on "unsetting" a namespace prefix by setting it to an empty string
  • Set localName as part of Document.createElement #229, thank you @rrthomas

CI

  • We are now additionally running tests against node v16
  • Stryker tests on the master branch now run against node v14

Docs

  • Describe relations with and between specs: #211, #247

@karfau karfau mentioned this pull request Dec 26, 2021
Closed
@karfau
Update dependency xmldom
1b30d0f 
Switching from package `xmldom` to `@xmldom/xmldom`, which resolves the security issue present in latest xmldom version 0.6.0:
GHSA-5fg8-2547-mr8q

The reason is that the maintainers were forced to switch to a scoped package since 0.7.0:
 xmldom/xmldom#271

- I only changed all occurences of `xmldom`, I didn't execute `npm install` or any other scripts.
- Since there is no package-lock.json, I have no idea what version of xmldom people were actually using (depends on the time of running `npm install`), so I'm just assuming everybody was using 0.6.0
- fixes #41

I'm one of the xmldom maintainers. Don't hesitate to ask me questions about it.
@kewisch kewisch merged commit b490158 into kewisch:main Jun 10, 2022
@kewisch
Copy link
Owner

kewisch commented Jun 10, 2022

Thanks so much for taking care, and apologies for the delay. I'm not able to keep up with github notifications. I should probably update this library to 2022 and add a package lock, though I am not using this library actively so I haven't gotten around to it.

@karfau karfau deleted the upgrade-xmldom branch June 10, 2022 11:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Please move from xmldom to @xmldom/xmldom
2 participants
@karfau @kewisch