Tags: aws/aws-cdk-cli
Tags
chore(deps): bump @xmldom/xmldom from 0.9.9 to 0.9.10 (#1407) Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.9.9 to 0.9.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s releases</a>.</em></p> <blockquote> <h2>0.9.10</h2> <p><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2">https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option (fourth argument, after <code>isHtml</code> and <code>nodeFilter</code>). When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--></code></li> <li>ProcessingInstruction: throws when <code>data</code> contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a">https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a> 0.9.10</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a">https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a> test: add missing serializer coverage for nodeFilter string return, Attribute...</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a">https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a> ci: remove unused imports flagged by CodeQL</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a">https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a> test: lower stack size for tests</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a">https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a> style: npm run format</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a">https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a> docs: add 0.9.10 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a">https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a> docs: add 0.8.13 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a">https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a> refactor: align error mesage between branches</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a">https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a> fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a">https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a> test: add missing isEqualNode behavioral coverage</li> <li>Additional commits viewable in <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://www.npmjs.com/~karfau">karfau</a" rel="nofollow">https://www.npmjs.com/~karfau">karfau</a>, a new releaser for <code>@xmldom/xmldom</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk-cli/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chore(deps): bump @xmldom/xmldom from 0.9.9 to 0.9.10 (#1407) Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.9.9 to 0.9.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s releases</a>.</em></p> <blockquote> <h2>0.9.10</h2> <p><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2">https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option (fourth argument, after <code>isHtml</code> and <code>nodeFilter</code>). When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--></code></li> <li>ProcessingInstruction: throws when <code>data</code> contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a">https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a> 0.9.10</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a">https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a> test: add missing serializer coverage for nodeFilter string return, Attribute...</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a">https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a> ci: remove unused imports flagged by CodeQL</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a">https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a> test: lower stack size for tests</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a">https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a> style: npm run format</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a">https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a> docs: add 0.9.10 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a">https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a> docs: add 0.8.13 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a">https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a> refactor: align error mesage between branches</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a">https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a> fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a">https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a> test: add missing isEqualNode behavioral coverage</li> <li>Additional commits viewable in <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://www.npmjs.com/~karfau">karfau</a" rel="nofollow">https://www.npmjs.com/~karfau">karfau</a>, a new releaser for <code>@xmldom/xmldom</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk-cli/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chore(deps): bump @xmldom/xmldom from 0.9.9 to 0.9.10 (#1407) Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.9.9 to 0.9.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s releases</a>.</em></p> <blockquote> <h2>0.9.10</h2> <p><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2">https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option (fourth argument, after <code>isHtml</code> and <code>nodeFilter</code>). When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--></code></li> <li>ProcessingInstruction: throws when <code>data</code> contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a">https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a> 0.9.10</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a">https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a> test: add missing serializer coverage for nodeFilter string return, Attribute...</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a">https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a> ci: remove unused imports flagged by CodeQL</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a">https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a> test: lower stack size for tests</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a">https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a> style: npm run format</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a">https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a> docs: add 0.9.10 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a">https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a> docs: add 0.8.13 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a">https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a> refactor: align error mesage between branches</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a">https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a> fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a">https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a> test: add missing isEqualNode behavioral coverage</li> <li>Additional commits viewable in <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://www.npmjs.com/~karfau">karfau</a" rel="nofollow">https://www.npmjs.com/~karfau">karfau</a>, a new releaser for <code>@xmldom/xmldom</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk-cli/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chore(deps): bump @xmldom/xmldom from 0.9.9 to 0.9.10 (#1407) Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.9.9 to 0.9.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s releases</a>.</em></p> <blockquote> <h2>0.9.10</h2> <p><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2">https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option (fourth argument, after <code>isHtml</code> and <code>nodeFilter</code>). When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--></code></li> <li>ProcessingInstruction: throws when <code>data</code> contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a">https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a> 0.9.10</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a">https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a> test: add missing serializer coverage for nodeFilter string return, Attribute...</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a">https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a> ci: remove unused imports flagged by CodeQL</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a">https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a> test: lower stack size for tests</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a">https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a> style: npm run format</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a">https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a> docs: add 0.9.10 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a">https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a> docs: add 0.8.13 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a">https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a> refactor: align error mesage between branches</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a">https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a> fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a">https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a> test: add missing isEqualNode behavioral coverage</li> <li>Additional commits viewable in <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://www.npmjs.com/~karfau">karfau</a" rel="nofollow">https://www.npmjs.com/~karfau">karfau</a>, a new releaser for <code>@xmldom/xmldom</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk-cli/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chore(deps): bump @xmldom/xmldom from 0.9.9 to 0.9.10 (#1407) Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.9.9 to 0.9.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s releases</a>.</em></p> <blockquote> <h2>0.9.10</h2> <p><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2">https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option (fourth argument, after <code>isHtml</code> and <code>nodeFilter</code>). When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--></code></li> <li>ProcessingInstruction: throws when <code>data</code> contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a">https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a> 0.9.10</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a">https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a> test: add missing serializer coverage for nodeFilter string return, Attribute...</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a">https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a> ci: remove unused imports flagged by CodeQL</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a">https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a> test: lower stack size for tests</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a">https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a> style: npm run format</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a">https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a> docs: add 0.9.10 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a">https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a> docs: add 0.8.13 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a">https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a> refactor: align error mesage between branches</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a">https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a> fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a">https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a> test: add missing isEqualNode behavioral coverage</li> <li>Additional commits viewable in <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://www.npmjs.com/~karfau">karfau</a" rel="nofollow">https://www.npmjs.com/~karfau">karfau</a>, a new releaser for <code>@xmldom/xmldom</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk-cli/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chore(deps): bump @xmldom/xmldom from 0.9.9 to 0.9.10 (#1407) Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.9.9 to 0.9.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s releases</a>.</em></p> <blockquote> <h2>0.9.10</h2> <p><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">Commits</a></p> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s">https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">0.9.10</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option. When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--</code> anywhere, ends with <code>-</code>, or contains characters outside the XML <code>Char</code> production</li> <li>ProcessingInstruction: throws when target contains <code>:</code> or matches <code>xml</code> (case-insensitive), or <code>data</code> contains characters outside the XML <code>Char</code> production or contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>, <code>Node.prototype.isEqualNode()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> <li><code>isEqualNode</code> now correctly returns <code>false</code> for CDATASection nodes with different <code>data</code></li> </ul> <h3>Deprecated</h3> <ul> <li>The <code>splitCDATASections</code> serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of <code>"]]>"</code> in <code>CDATASection</code> data was introduced as a workaround; use <code>requireWellFormed: true</code> or ensure <code>CDATASection</code> data does not contain <code>"]]>"</code> before serialization.</li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> <h2><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2">https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13">0.8.13</a></h2> <h3>Fixed</h3> <ul> <li>Security: <code>XMLSerializer.serializeToString()</code> (and <code>Node.toString()</code>, <code>NodeList.toString()</code>) now accept a <code>requireWellFormed</code> option (fourth argument, after <code>isHtml</code> and <code>nodeFilter</code>). When <code>{ requireWellFormed: true }</code> is passed, the serializer throws <code>InvalidStateError</code> for injection-prone node content, preventing XML injection via attacker-controlled node data. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"><code>GHSA-j759-j44w-7fr8</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"><code>GHSA-x6wf-f3px-wcqx</code></a> <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a">https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"><code>GHSA-f6ww-3ggp-fr8h</code></a> <ul> <li>Comment: throws when <code>data</code> contains <code>--></code></li> <li>ProcessingInstruction: throws when <code>data</code> contains <code>?></code></li> <li>DocumentType: throws when <code>publicId</code> fails <code>PubidLiteral</code>, <code>systemId</code> fails <code>SystemLiteral</code>, or <code>internalSubset</code> contains <code>]></code></li> </ul> </li> <li>Security: DOM traversal operations (<code>XMLSerializer.serializeToString()</code>, <code>Node.prototype.normalize()</code>, <code>Node.prototype.cloneNode(true)</code>, <code>Document.prototype.importNode(node, true)</code>, <code>node.textContent</code> getter, <code>getElementsByTagName()</code> / <code>getElementsByTagNameNS()</code> / <code>getElementsByClassName()</code> / <code>getElementById()</code>) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable <code>RangeError</code>. <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li">https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"><code>GHSA-2v35-w6hq-6mfw</code></a></li> </ul> <p>Thank you, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jvr2022"><code>@Jvr2022</code></a">https://github.com/Jvr2022"><code>@Jvr2022</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/praveen-kv"><code>@praveen-kv</code></a">https://github.com/praveen-kv"><code>@praveen-kv</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/TharVid"><code>@TharVid</code></a">https://github.com/TharVid"><code>@TharVid</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/decsecre583"><code>@decsecre583</code></a">https://github.com/decsecre583"><code>@decsecre583</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/tlsbollei"><code>@tlsbollei</code></a">https://github.com/tlsbollei"><code>@tlsbollei</code></a>, <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/KarimTantawey"><code>@KarimTantawey</code></a">https://github.com/KarimTantawey"><code>@KarimTantawey</code></a>, for your contributions</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a">https://github.com/xmldom/xmldom/commit/bf396a575c4dd32ce4bd925b849dcb7e778d957c"><code>bf396a5</code></a> 0.9.10</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a">https://github.com/xmldom/xmldom/commit/78f60891bb1a82ef160d1e8cf082caa54cbd28b0"><code>78f6089</code></a> test: add missing serializer coverage for nodeFilter string return, Attribute...</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a">https://github.com/xmldom/xmldom/commit/192ce5b9b245a03b8fe1979455c8c0a60b623d3a"><code>192ce5b</code></a> ci: remove unused imports flagged by CodeQL</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a">https://github.com/xmldom/xmldom/commit/ca81c065820e226203568ef015d4fb0c4ff1582c"><code>ca81c06</code></a> test: lower stack size for tests</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a">https://github.com/xmldom/xmldom/commit/c9d59370c0f8e85189da24db0e24a5a0765dcd08"><code>c9d5937</code></a> style: npm run format</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a">https://github.com/xmldom/xmldom/commit/1537fb462ae9ba248266ee267e8b29f7e14858f4"><code>1537fb4</code></a> docs: add 0.9.10 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a">https://github.com/xmldom/xmldom/commit/afd6f6fe81dac26e5370048a31269471f35569ed"><code>afd6f6f</code></a> docs: add 0.8.13 changelog entry</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a">https://github.com/xmldom/xmldom/commit/afeb4ee3172ebe72f6ad940bf330ef0d0e3e7118"><code>afeb4ee</code></a> refactor: align error mesage between branches</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a">https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"><code>4845ef1</code></a> fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a">https://github.com/xmldom/xmldom/commit/dfb94a4524ddf4ecbc9e6f63fd0652e3d1f24f9c"><code>dfb94a4</code></a> test: add missing isEqualNode behavioral coverage</li> <li>Additional commits viewable in <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare">https://github.com/xmldom/xmldom/compare/0.9.9...0.9.10">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://www.npmjs.com/~karfau">karfau</a" rel="nofollow">https://www.npmjs.com/~karfau">karfau</a>, a new releaser for <code>@xmldom/xmldom</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk-cli/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
feat(toolkit-lib): honor per-notice dynamicValues separator (#1397) Fixes aws/aws-cdk#31963 Notices that render `{resolve:NAME}` placeholders join multiple matched values with a hardcoded comma. That works for prose but breaks placeholders that appear inside an executable command, most visibly the rebootstrap notice which currently suggests `cdk bootstrap aws://acct/r1,aws://acct/r2` — not a valid command. Changing the hardcoded separator in the toolkit would silently alter output for every existing notice that relies on commas in prose. This PR takes the safer notice-side route instead: each notice may carry an optional `dynamicValues` map keyed by placeholder name, where each entry is a `DynamicValueSpec` object. Today the spec only carries `separator`, but keeping the value as an object means future options (`prefix`, `suffix`, `limit`, ...) can be added purely additively without another protocol change — and older CLIs that don't recognise those fields will simply ignore them. `addDynamicValues` now reads `specs[name]?.separator ?? ','`, so notices that don't set the field behave exactly as before. Paired with the corresponding notices-repo change, the rebootstrap notice will ship `{ ENVIRONMENTS: { separator: " " } }` and new CLIs will render a runnable command. Older CLIs that don't understand the field continue to print the current comma-joined output, so existing users don't regress either way. Companion change: cdklabs/aws-cdk-notices#TBD ### Checklist - [ ] This change contains a major version upgrade for a dependency and I confirm all breaking changes are addressed - Release notes for the new version: --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
fix: add new metadata types to protocol (#1396) We already shipped `aws:cdk:propertyAssignment` implicitly in the source code, but not documented in the protocol. This also adds `aws:cdk:creationStack`. Not updating the protocol version: this is: - a) adding fields in an unvalidated part of the schema - b) for half of the change the data is already being written, so if this is a problem now it already was a problem before, and changing the version number doesn't change anything. --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
feat(toolkit-lib): honor per-notice dynamicValues separator (#1397) Fixes aws/aws-cdk#31963 Notices that render `{resolve:NAME}` placeholders join multiple matched values with a hardcoded comma. That works for prose but breaks placeholders that appear inside an executable command, most visibly the rebootstrap notice which currently suggests `cdk bootstrap aws://acct/r1,aws://acct/r2` — not a valid command. Changing the hardcoded separator in the toolkit would silently alter output for every existing notice that relies on commas in prose. This PR takes the safer notice-side route instead: each notice may carry an optional `dynamicValues` map keyed by placeholder name, where each entry is a `DynamicValueSpec` object. Today the spec only carries `separator`, but keeping the value as an object means future options (`prefix`, `suffix`, `limit`, ...) can be added purely additively without another protocol change — and older CLIs that don't recognise those fields will simply ignore them. `addDynamicValues` now reads `specs[name]?.separator ?? ','`, so notices that don't set the field behave exactly as before. Paired with the corresponding notices-repo change, the rebootstrap notice will ship `{ ENVIRONMENTS: { separator: " " } }` and new CLIs will render a runnable command. Older CLIs that don't understand the field continue to print the current comma-joined output, so existing users don't regress either way. Companion change: cdklabs/aws-cdk-notices#TBD ### Checklist - [ ] This change contains a major version upgrade for a dependency and I confirm all breaking changes are addressed - Release notes for the new version: --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
fix: add new metadata types to protocol (#1396) We already shipped `aws:cdk:propertyAssignment` implicitly in the source code, but not documented in the protocol. This also adds `aws:cdk:creationStack`. Not updating the protocol version: this is: - a) adding fields in an unvalidated part of the schema - b) for half of the change the data is already being written, so if this is a problem now it already was a problem before, and changing the version number doesn't change anything. --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
PreviousNext