Release 0.7.x (Security & scoped package)

[karfau]

This package is now published to npm as @xmldom/xmldom!

0.7.13

Fixed

• dom: prevent iteration over deleted items #514/ #499

Thank you, @qtow, for your contributions

0.7.12

Fixed

• Set nodeName property in ProcessingInstruction #509 / #505

Thank you, @cjbarth, for your contributions

0.7.11

Fixed

• extend list of HTML entities #489

Thank you, @zorkow, for your contributions

0.7.10

Fixed

• properly parse closing where the last attribute has no value #485 / #486

Thank you, @bulandent, for your contributions

0.7.9

Fixed

• Properly check nodes before replacement #457 / #455 / #456

Thank you, @edemaine, @pedro-l9, for your contributions

0.7.8

Commits

Fixed

• fix: Restore ES5 compatibility #452 / #453

Thank you, @fengxinming, for your contributions

0.7.7

Commits

Fixed

• Security: Prevent inserting DOM nodes when they are not well-formed CVE-2022-39353
  In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like < and > are encoded accordingly.
  In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
  This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
  Related Spec: https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity

Thank you, @frumioj, @cjbarth, @markgollnick for your contributions

0.7.6

Commits

Fixed

• Avoid iterating over prototype properties #441 / #437 / #436

Thank you, @jftanner, @Supraja9726 for your contributions

0.7.5

Commits

Fixes:

• Preserve default namespace when serializing #319 / #321
  Thank you @lupestro

0.7.4

Commits

Fixes:

• Restore ability to parse __prototype__ attributes #315
  Thank you @dsimpsonOMF

0.7.3

Commits

Fixes:

• Add doctype when parsing from string #277 / #301
• Correct typo in error message #294
  Thank you @rrthomas

Refactor:

• Improve exports & require statements, new main package entry #233

Docs:

• Fix Stryker badge #298
• Fix link to help-wanted issues #299

Chore:

• Execute stryker:dry-run on branches #302
• Fix stryker config #300
• Split test and lint scripts #297
• Switch to stryker dashboard owned by org #292

0.7.2

Commits

Fixes:

• Types: Add index.d.ts to packaged files #288
  Thank you @forty

0.7.1

Commits

Fixes:

• Types: Copy types from DefinitelyTyped #283
  Thank you @kachkaev

Chore:

• package.json: remove author, maintainers, etc. #279

0.7.0

Commits

Due to #271 this version was published as

• unscoped xmldom package to github only (git tags 0.7.0 and 0.7.0+unscoped)
• scoped @xmldom/xmldom package to npm (github release/tag 0.7.0+scoped)
  For more details look at #278

Fixes:

• Security: Misinterpretation of malicious XML input CVE-2021-32796
• Implement Document.getElementsByClassName as specified #213, thank you @ChALkeR
• Inherit namespace prefix from parent when required #268
• Handle whitespace in closing tags #267
• Update DOMImplementation according to recent specs #210
  BREAKING CHANGE: Only if you "passed features to be marked as available as a constructor arguments" and expected it to "magically work".
• No longer serializes any namespaces with an empty URI #244
  (related to #168 released in 0.6.0)
  BREAKING CHANGE: Only if you rely on "unsetting" a namespace prefix by setting it to an empty string
• Set localName as part of Document.createElement #229, thank you @rrthomas

CI

• We are now additionally running tests against node v16
• Stryker tests on the master branch now run against node v14

Docs

• Describe relations with and between specs: #211, #247

[karfau]

(The issue has been resolved, the package is now published as @xmldom/xmldom)

FYI: We are currently not able to publishing this package to npm, you can subscribe to that issue to get notified about status updates.

As a workaround I uploaded the package in the release on github.

It's also possible to install it using the github tag,
either by running npm install github:xmldom/xmldom#0.7.0

or by manually modifying your package.json:

-  "xmldom": "0.6.0"
+  "xmldom": "github:xmldom/xmldom#0.7.0"

Just keep in mind: In case you are using a tool to provide PRs for package updates, that you might need change it back to just the version string, before you might get future updates. (Check the details of your tool.)

[forty]

@karfau is there anything we can do to help this going faster? How was the access lost? I'm happy to tweet @ npm or send emails if that can help ;)

[pkalantri-ebsco]

Any update on this? We are having the same issue at my clients as @jquintozamora where we can't import this directly via github (by policy).

[brodybits]

Please watch #271 for the updates, thanks.

We may need 1-2 weeks or so to discuss how we lost access, etc.

[Schwad]

👀

Watching; thanks for the updates

[slawekjaranowski]

after

npm install github:xmldom/xmldom#0.7.0

and commit I have error on CI..

npm ERR! Error while executing:
npm ERR! /usr/bin/git ls-remote -h -t ssh://git@github.com/xmldom/xmldom.git
npm ERR! 
npm ERR! Warning: Permanently added the RSA host key for IP address '192.30.255.112' to the list of known hosts.
npm ERR! git@github.com: Permission denied (publickey).
npm ERR! fatal: Could not read from remote repository.

s4u/maven-settings-action#133

[XhmikosR]

@karfau can't you just cut a 0.7.1?

BTW please try to keep security fixes as patch versions because right now every downstream package has to manually update to the new version :/

[XhmikosR]

I don't use yarn nor I want to use github directly. It's not safe to use packages through GitHub.

[djejaquino]

xmldom is a zero-dependency package, which means installing it from GitHub is as safe as installing from NPM.

Anyways, I guess you will have to wait 🤷

[karfau]

@XhmikosR

can't you just cut a 0.7.1?

To solve what problem? Do you mean 0.6.1?

I'm aware that we are currently releasing security releases together with breaking changes. (As the version of xmldom indicates, it is not stable.)

The "breaking" changes released in 0.7.0 hopefully do not really affect anybody that's why we did not release a version 0.6.1, but it would still be possible if somebody is not able to upgrade to 0.7.0.

I'm thinking about adding semantic releases in the near future, so any change would be released right away. But the priority/resources for this are not clear yet

[karfau]

@XhmikosR see #270 (comment)

[admosity]

Works with https://www.npmjs.com/package/npm-force-resolutions for npm users.

[hansemannn]

Thanks for being so responsive on this, @karfau!

[karfau]

Please comment on this thread with some details why you can not upgrade to 0.7.0 and need a 0.6.1 for the security fix.
This is not about the issue regarding publishing to npm!

[karfau]

@forty This makes sense.
As soon as we are able to publish again, I will release this one as well.

[forty]

Thanks!

[karfau]

According to the download stats in the npm registry it even makes sense to publish 0.5.1:

I prepared the branches for the two versions already.

[karfau]

@forty due to the new package name I would expect that people need to anyways do a manual step to update.

Do you think we should still invest the time to publish 0.6.1 (or even 0.5.1) with the new package name? And for what reason?

[forty]

Agreed, the package name change makes it useless to publish updates on older versions 👍

[andurmon]

Hi @karfau any updates on this issue? the temporary fix of using "xmldom": "github:xmldom/xmldom#0.7.0" in the package-lock works smoothly locally. However my team has issues deploying and installing packages that are not in the npm registry. Apparently our deploy pipeline simply cannot find anything outside the npm registry.

[karfau]

According to the current status of #271 we will need to publish the package under the @xmldom scope, we "just" to decide on the name.

[forty]

@xmldom/xmldom ?

[RopoMen]

@andurmon if you are using nmp ci / i´ on your CI pipeline, remember that your CI runner or container that is executing that command must have git` installed. If you are using yarn, then you do not need ´git´ as your dependency.

Whyt it works locally? well, most developers has git already installed.

[karfau]

We will soon publish the fixed versions under the @xmldom scope to npm, the "fully qualified name" of the library will switch to @xmldom/xmldom. For details see #278

[karfau]

0.7.0 has been released yesterday.
It had a regression regarding types, since the unscoped package was typed via @types/xmldom.
0.7.1 has been released just some minutes ago and includes those types.