Update dependency sitemap to v8.0.1 #24

renovate · 2025-10-20T03:02:38Z

renovate commented

2025-10-20 03:02:38 +00:00

This PR contains the following updates:

Package	Type	Update	Change
sitemap	dependencies	patch	`8.0.0` -> `8.0.1`

Release Notes

ekalinin/sitemap.js (sitemap)

`v8.0.1`

Compare Source

SECURITY FIXES - This release backports comprehensive security patches from 9.0.0 to 8.0.x

Security Improvements

XML Injection Prevention: Enhanced XML entity escaping, added > character escaping, attribute name validation
Parser Security: Added resource limits (max 50K URLs, 1K images, 100 videos per sitemap), string length limits, URL validation (http/https only, max 2048 chars)
Protocol Injection Prevention: Block dangerous protocols (javascript:, data:, file:, ftp:) in sitemap index parser
DoS Protection: Memory exhaustion protection, URL length validation, date format validation (ISO 8601)
Path Traversal Prevention: Block .. sequences in file paths
Command Injection Fix: xmllint now uses stdin exclusively instead of file paths
Input Validation: Comprehensive validation for all user inputs - numbers (reject NaN/Infinity), dates (check Invalid Date), URLs, paths
XSS Prevention: XSL URL validation to prevent script injection
Namespace Security: Custom namespace validation (max 20, max 512 chars each)

Infrastructure

Added lib/constants.ts - Centralized security limits and constants
Added lib/validation.ts - Comprehensive validation functions
Added new security-related error classes

Backward Compatibility

✅ 100% API compatible with 8.0.0
Added XMLToSitemapItemStream.error getter for backward compatibility (returns errors[0])
All existing valid inputs continue to work
Only rejects invalid/malicious inputs
Default ErrorLevel.WARN behavior unchanged

Dependencies Updated

sax: ^1.2.4 → ^1.4.1 (security updates)

Files Changed

17 files changed: 2,122 additions, 245 deletions

Testing

All 94 existing tests passing
No breaking changes to public API

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [sitemap](https://github.com/ekalinin/sitemap.js) | dependencies | patch | [`8.0.0` -> `8.0.1`](https://renovatebot.com/diffs/npm/sitemap/8.0.0/8.0.1) | --- ### Release Notes <details> <summary>ekalinin/sitemap.js (sitemap)</summary> ### [`v8.0.1`](https://github.com/ekalinin/sitemap.js/blob/HEAD/CHANGELOG.md#801---Security-Patch-Release) [Compare Source](https://github.com/ekalinin/sitemap.js/compare/8.0.0...8.0.1) **SECURITY FIXES** - This release backports comprehensive security patches from 9.0.0 to 8.0.x ##### Security Improvements - **XML Injection Prevention**: Enhanced XML entity escaping, added `>` character escaping, attribute name validation - **Parser Security**: Added resource limits (max 50K URLs, 1K images, 100 videos per sitemap), string length limits, URL validation (http/https only, max 2048 chars) - **Protocol Injection Prevention**: Block dangerous protocols (javascript:, data:, file:, ftp:) in sitemap index parser - **DoS Protection**: Memory exhaustion protection, URL length validation, date format validation (ISO 8601) - **Path Traversal Prevention**: Block `..` sequences in file paths - **Command Injection Fix**: xmllint now uses stdin exclusively instead of file paths - **Input Validation**: Comprehensive validation for all user inputs - numbers (reject NaN/Infinity), dates (check Invalid Date), URLs, paths - **XSS Prevention**: XSL URL validation to prevent script injection - **Namespace Security**: Custom namespace validation (max 20, max 512 chars each) ##### Infrastructure - Added `lib/constants.ts` - Centralized security limits and constants - Added `lib/validation.ts` - Comprehensive validation functions - Added new security-related error classes ##### Backward Compatibility - ✅ **100% API compatible** with 8.0.0 - Added `XMLToSitemapItemStream.error` getter for backward compatibility (returns `errors[0]`) - All existing valid inputs continue to work - Only rejects invalid/malicious inputs - Default `ErrorLevel.WARN` behavior unchanged ##### Dependencies Updated - `sax`: ^1.2.4 → ^1.4.1 (security updates) ##### Files Changed 17 files changed: 2,122 additions, 245 deletions ##### Testing - All 94 existing tests passing - No breaking changes to public API </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate added 1 commit 2025-10-20 03:02:38 +00:00

Update dependency sitemap to v8.0.1

ci/woodpecker/push/woodpecker Pipeline was successful

Details

6a922433cc

alazyreader merged commit 93369a2d62 into main

2025-10-27 15:25:00 +00:00

alazyreader deleted branch renovate/sitemap-8.x-lockfile

2025-10-27 15:25:00 +00:00

alazyreader referenced this issue from a commit

2025-10-27 15:25:01 +00:00

Merge pull request 'Update dependency sitemap to v8.0.1' (#24) from renovate/sitemap-8.x-lockfile into main

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: alazyreader/nyc-bookstores#24