Replies: 5 comments 27 replies
-
(The issue has been resolved, the package is now published as
- "xmldom": "0.6.0"
+ "xmldom": "github:xmldom/xmldom#0.7.0" Just keep in mind: In case you are using a tool to provide PRs for package updates, that you might need change it back to just the version string, before you might get future updates. (Check the details of your tool.) |
Beta Was this translation helpful? Give feedback.
-
@karfau can't you just cut a 0.7.1? BTW please try to keep security fixes as patch versions because right now every downstream package has to manually update to the new version :/ |
Beta Was this translation helpful? Give feedback.
-
Thanks for being so responsive on this, @karfau! |
Beta Was this translation helpful? Give feedback.
-
Please comment on this thread with some details why you can not upgrade to 0.7.0 and need a 0.6.1 for the security fix. |
Beta Was this translation helpful? Give feedback.
-
Hi @karfau any updates on this issue? the temporary fix of using "xmldom": "github:xmldom/xmldom#0.7.0" in the package-lock works smoothly locally. However my team has issues deploying and installing packages that are not in the npm registry. Apparently our deploy pipeline simply cannot find anything outside the npm registry. |
Beta Was this translation helpful? Give feedback.
-
This package is now published to npm as
@xmldom/xmldom
!0.7.13
Fixed
#514
/#499
Thank you, @qtow, for your contributions
0.7.12
Fixed
#509
/#505
Thank you, @cjbarth, for your contributions
0.7.11
Fixed
#489
Thank you, @zorkow, for your contributions
0.7.10
Fixed
#485
/#486
Thank you, @bulandent, for your contributions
0.7.9
Fixed
#457
/#455
/#456
Thank you, @edemaine, @pedro-l9, for your contributions
0.7.8
Commits
Fixed
#452
/#453
Thank you, @fengxinming, for your contributions
0.7.7
Commits
Fixed
CVE-2022-39353
In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like
<
and>
are encoded accordingly.In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
Related Spec: https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity
Thank you, @frumioj, @cjbarth, @markgollnick for your contributions
0.7.6
Commits
Fixed
#441
/#437
/#436
Thank you, @jftanner, @Supraja9726 for your contributions
0.7.5
Commits
Fixes:
#319
/#321
Thank you @lupestro
0.7.4
Commits
Fixes:
__prototype__
attributes#315
Thank you @dsimpsonOMF
0.7.3
Commits
Fixes:
#277
/#301
#294
Thank you @rrthomas
Refactor:
#233
Docs:
#298
#299
Chore:
#302
#300
#297
#292
0.7.2
Commits
Fixes:
#288
Thank you @forty
0.7.1
Commits
Fixes:
#283
Thank you @kachkaev
Chore:
#279
0.7.0
Commits
Due to
#271
this version was published asxmldom
package to github only (git tags0.7.0
and0.7.0+unscoped
)@xmldom/xmldom
package to npm (github release/tag0.7.0+scoped
)For more details look at
#278
Fixes:
CVE-2021-32796
Document.getElementsByClassName
as specified#213
, thank you @ChALkeR#268
#267
DOMImplementation
according to recent specs#210
BREAKING CHANGE: Only if you "passed features to be marked as available as a constructor arguments" and expected it to "magically work".
#244
(related to
#168
released in 0.6.0)BREAKING CHANGE: Only if you rely on "unsetting" a namespace prefix by setting it to an empty string
localName
as part ofDocument.createElement
#229
, thank you @rrthomasCI
Docs
#211
,#247
Beta Was this translation helpful? Give feedback.
All reactions