CLDR-19055 site:(deps): Bump sitemap from 8.0.0 to 8.0.2 in /docs/site

[dependabot]

Bumps sitemap from 8.0.0 to 8.0.2.

Release notes

Sourced from sitemap's releases.

8.0.2 - Bug Fix Release

🐛 Bug Fix Release

This release fixes issue #464 where xsi:schemaLocation attributes were incorrectly rejected by the custom namespace validator introduced in 8.0.1.

✅ Backward Compatibility

• 100% API compatible with 8.0.1
• No breaking changes
• All existing code continues to work

🔧 Bug Fixes

#464 - Support xsi:schemaLocation in custom namespaces (thanks @​dzakki)

• Extended validation to accept namespace-qualified attributes like xsi:schemaLocation
• Previously only xmlns:prefix="uri" format was accepted
• Now also accepts prefix:attribute="value" format
• Maintains all security validations from 8.0.1

📝 Example

The following now works correctly (as documented in README):

```javascript const sms = new SitemapStream({ xmlns: { custom: [ 'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"', 'xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd"' ] } }); ```

📊 Testing

• ✅ All tests passing (116 existing + 8 new tests)
• ✅ Security regression tests added
• ✅ TypeScript compilation successful

📝 Installation

```bash npm install [email protected] ```

See CHANGELOG.md for complete details.

---

🤖 Generated with Claude Code

... (truncated)

Changelog

Sourced from sitemap's changelog.

8.0.2 - Bug Fix Release

Bug Fixes

• fix #464: Support xsi:schemaLocation in custom namespaces - thanks @​dzakki
  • Extended custom namespace validation to accept namespace-qualified attributes (like xsi:schemaLocation) in addition to xmlns declarations
  • The validation regex now matches both xmlns:prefix="uri" and prefix:attribute="value" patterns
  • Enables proper W3C schema validation while maintaining security validation for malicious content
  • Added comprehensive tests including security regression tests

Example Usage

The following now works correctly (as documented in README):

const sms = new SitemapStream({
  xmlns: {
    custom: [
      'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"',
      'xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd"'
    ]
  }
});

Testing

• ✅ All existing tests passing
• ✅ 8 new tests added covering positive and security scenarios
• ✅ 100% backward compatible with 8.0.1

Files Changed

2 files changed: 144 insertions, 5 deletions

8.0.1 - Security Patch Release

SECURITY FIXES - This release backports comprehensive security patches from 9.0.0 to 8.0.x

Security Improvements

• XML Injection Prevention: Enhanced XML entity escaping, added > character escaping, attribute name validation
• Parser Security: Added resource limits (max 50K URLs, 1K images, 100 videos per sitemap), string length limits, URL validation (http/https only, max 2048 chars)
• Protocol Injection Prevention: Block dangerous protocols (javascript:, data:, file:, ftp:) in sitemap index parser
• DoS Protection: Memory exhaustion protection, URL length validation, date format validation (ISO 8601)
• Path Traversal Prevention: Block .. sequences in file paths
• Command Injection Fix: xmllint now uses stdin exclusively instead of file paths
• Input Validation: Comprehensive validation for all user inputs - numbers (reject NaN/Infinity), dates (check Invalid Date), URLs, paths
• XSS Prevention: XSL URL validation to prevent script injection
• Namespace Security: Custom namespace validation (max 20, max 512 chars each)

... (truncated)

Commits

• b16e03e release 8.0.2
• eeb032d fix #464: support xsi:schemaLocation in custom namespaces
• c3ead34 update package lock
• bf08e67 security: comprehensive security patches for 8.0.1
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)