New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrades dependency xmldom #2900
Conversation
Thank you and we appreciate your help! 👏 |
Hey @karfau, is the new version backwards compatible? It seems like some of our tests are breaking. |
So what I did to reproduce the error was:
Which is related to the following breaking change in change in 0.8.0:
I checked the test source code and found that there is a literal From the test code it looks like you are transforming linux path separator (If you intention is to have and preserve a "literal tab" in attribute values you need to put We now have two options: Let me know which way you prefer. |
Thank you for looking into it and I appreciate it your help. If 0.7.5 is backwards compatible, let's use it for now. We'll then do another round of reviews to update our code to work with v0.8. Once again, thank you! |
Switching from package `xmldom` to `@xmldom/xmldom`, which resolves the security issue present in latest xmldom version 0.6.0: GHSA-5fg8-2547-mr8q The reason is that the maintainers were forced to switch to a scoped package since 0.7.0: xmldom/xmldom#271 - The reference to `@types/xmldom` can be dropped, since xmldom now comes with types as part of the package. - I used node 16 to run `npm install` which updated the npm-shrinkwrap.json. - I didn't attempt to run the project on my machine, but I'm hoping for the CI checks to cover the important things. - The package `adaptive-expressions` has a dependency to `@xmldom/xmldom@0.7.5`, so if you prefer I can also change the PR to point to that version in the package.json. I didn't find any tools that support this project in keeping dependencies up to date, so I'm not sure which way you would prefer. I'm one of the xmldom maintainers. Don't hesitate to ask me questions.
due to failing tests #2900 (comment)
@waldekmastykarz I rebased onto master and force pushed with the upgrade to 0.7.5 |
Awesome! I appreciate the effort @karfau. We'll review and merge the PR asap. 👍 |
@waldekmastykarz any update on this? |
We've just done a release yesterday and to avoid last-minute changes we'll merge it in the coming few days. Thank you for checking in. |
I'm assuming you will take care of merging this into your upcoming v5, right? PS: Since all existing xmldom versions have security issues you might want to evaluate if it's reasonable to deprecate version using that dependency. |
Yes, we'll merge it into a preview version v4.4, which is backwards compatible and which we'll release this week and which will rollup into v5 at the end of February. Considering the usage patterns of CLI for Microsoft 365, I don't think there's a way for this vulnerability to be exploited because it's the user running the command who specifies the XML. I appreciate you thinking together with us. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the patch 👏
Merged manually. Thank you! 👍 |
Switching from package
xmldom
to@xmldom/xmldom
, which resolves the security issue present in latest xmldom version 0.6.0:GHSA-5fg8-2547-mr8q
The reason is that the maintainers were forced to switch to a scoped package since 0.7.0:
xmldom/xmldom#271
@types/xmldom
can be dropped, since xmldom now comes with types as part of the package.npm install
which updated the npm-shrinkwrap.json.@xmldom/xmldom@0.7.5
, so you have more time to resolve the issue that exists with version 0.8.0I'm one of the xmldom maintainers. Don't hesitate to ask me questions.
Changes in xmldom since 0.6.0
## [0.8.0](https://github.com/xmldom/xmldom/compare/0.7.5...0.8.0)Fixed
BREAKING CHANGE: Certain combination of line break characters are normalized to a single
\n
before parsing takes place and will no longer be preserved.#303
/#307
#49
,#97
,#324
/#314
#284
/#310
BREAKING CHANGE: If you relied on the not spec compliant preservation of literal
\t
,\n
or\r
in attribute values.To preserve those you will have to create XML that instead contains the correct numerical (or hexadecimal) equivalent (e.g.
	
,

,
).DOMImplementation
andXMLSerializer
fromlib/dom-parser.js
#53 /#309
BREAKING CHANGE: Use the one provided by the main package export.
removeChild
#343
/#355
Chore
#325
#111
/#304
Thank you @marrus-sh, @victorandree, @mdierolf, @tsabbay, @fatihpense for your contributions
0.7.5
Commits
Fixes:
#319
/#321
Thank you @lupestro
0.7.4
Commits
Fixes:
__prototype__
attributes#315
Thank you @dsimsonOMF
0.7.3
Commits
Fixes:
#277
/#301
#294
Thank you @rrthomas
Refactor:
#233
Docs:
#298
#299
Chore:
#302
#300
#297
#292
0.7.2
Commits
Fixes:
#288
Thank you @forty
0.7.1
Commits
Fixes:
#283
Thank you @kachkaev
Chore:
#279
0.7.0
Commits
Due to
#271
this version was published asxmldom
package to github (git tags0.7.0
and0.7.0+unscoped
)@xmldom/xmldom
package to npm (git tag0.7.0+scoped
)For more details look at
#278
Fixes:
CVE-2021-32796
Document.getElementsByClassName
as specified#213
, thank you @ChALkeR#268
#267
DOMImplementation
according to recent specs#210
BREAKING CHANGE: Only if you "passed features to be marked as available as a constructor arguments" and expected it to "magically work".
#244
(related to
#168
released in 0.6.0)BREAKING CHANGE: Only if you rely on "unsetting" a namespace prefix by setting it to an empty string
localName
as part ofDocument.createElement
#229
, thank you @rrthomasCI
Docs
#211
,#247