Skip to content

chore(deps): update dependency sitemap to v8.0.1 #196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
HugoRCD merged 1 commit into from
Oct 20, 2025
Merged

chore(deps): update dependency sitemap to v8.0.1 #196

HugoRCD merged 1 commit into from
Oct 20, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 20, 2025

This PR contains the following updates:

Package Change Age Confidence
sitemap 8.0.0 -> 8.0.1 age confidence

Release Notes

ekalinin/sitemap.js (sitemap)

v8.0.1

Compare Source

SECURITY FIXES - This release backports comprehensive security patches from 9.0.0 to 8.0.x

Security Improvements
  • XML Injection Prevention: Enhanced XML entity escaping, added > character escaping, attribute name validation
  • Parser Security: Added resource limits (max 50K URLs, 1K images, 100 videos per sitemap), string length limits, URL validation (http/https only, max 2048 chars)
  • Protocol Injection Prevention: Block dangerous protocols (javascript:, data:, file:, ftp:) in sitemap index parser
  • DoS Protection: Memory exhaustion protection, URL length validation, date format validation (ISO 8601)
  • Path Traversal Prevention: Block .. sequences in file paths
  • Command Injection Fix: xmllint now uses stdin exclusively instead of file paths
  • Input Validation: Comprehensive validation for all user inputs - numbers (reject NaN/Infinity), dates (check Invalid Date), URLs, paths
  • XSS Prevention: XSL URL validation to prevent script injection
  • Namespace Security: Custom namespace validation (max 20, max 512 chars each)
Infrastructure
  • Added lib/constants.ts - Centralized security limits and constants
  • Added lib/validation.ts - Comprehensive validation functions
  • Added new security-related error classes
Backward Compatibility
  • 100% API compatible with 8.0.0
  • Added XMLToSitemapItemStream.error getter for backward compatibility (returns errors[0])
  • All existing valid inputs continue to work
  • Only rejects invalid/malicious inputs
  • Default ErrorLevel.WARN behavior unchanged
Dependencies Updated
  • sax: ^1.2.4 → ^1.4.1 (security updates)
Files Changed

17 files changed: 2,122 additions, 245 deletions

Testing
  • All 94 existing tests passing
  • No breaking changes to public API

Configuration

📅 Schedule: Branch creation - "after 2am and before 3am" (UTC), Automerge - "after 1am and before 2am" (UTC).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel
Copy link

vercel bot commented Oct 20, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
canvas Ready Ready Preview Comment Oct 20, 2025 2:43am

@HugoRCD HugoRCD merged commit 9b42b38 into main Oct 20, 2025
6 checks passed
@HugoRCD HugoRCD deleted the renovate/all-minor-patch branch October 20, 2025 13:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HugoRCD