alazyreader/nyc-bookstores
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Update dependency sitemap to v9.0.1 #29

Merged
alazyreader merged 1 commits from renovate/sitemap-9.x-lockfile into main 2026-02-28 21:27:32 +00:00
Conversation 0 Commits 1 Files Changed 1 +6 -6
renovate commented 2026-02-28 06:02:44 +00:00
Contributor
Copy Link

This PR contains the following updates:

Package Type Update Change
sitemap dependencies patch 9.0.09.0.1

Release Notes

ekalinin/sitemap.js (sitemap)

v9.0.1

Compare Source

  • BB-01: Fix XML injection via unescaped xslUrl in stylesheet processing instruction — special characters (&, ", <, >) in the XSL URL are now escaped before being interpolated into the <?xml-stylesheet?> processing instruction
  • BB-02: Enforce 50,000 URL hard limit in XMLToSitemapItemStream — the parser now stops emitting items and emits an error when the limit is exceeded, rather than merely logging a warning
  • BB-03: Cap parser error array at 100 entries to prevent memory DoS — XMLToSitemapItemStream now tracks a separate errorCount and stops appending to the errors array beyond LIMITS.MAX_PARSER_ERRORS
  • BB-04: Reject absolute destinationDir paths in simpleSitemapAndIndex to prevent arbitrary file writes — passing an absolute path (e.g. /tmp/sitemaps) now throws immediately with a descriptive error
  • BB-05: parseSitemapIndex now destroys source and parser streams immediately when the maxEntries limit is exceeded, preventing unbounded memory consumption from large sitemap index files

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [sitemap](https://github.com/ekalinin/sitemap.js) | dependencies | patch | [`9.0.0` → `9.0.1`](https://renovatebot.com/diffs/npm/sitemap/9.0.0/9.0.1) | --- ### Release Notes <details> <summary>ekalinin/sitemap.js (sitemap)</summary> ### [`v9.0.1`](https://github.com/ekalinin/sitemap.js/blob/HEAD/CHANGELOG.md#901--Security-Patch) [Compare Source](https://github.com/ekalinin/sitemap.js/compare/9.0.0...9.0.1) - **BB-01**: Fix XML injection via unescaped `xslUrl` in stylesheet processing instruction — special characters (`&`, `"`, `<`, `>`) in the XSL URL are now escaped before being interpolated into the `<?xml-stylesheet?>` processing instruction - **BB-02**: Enforce 50,000 URL hard limit in `XMLToSitemapItemStream` — the parser now stops emitting items and emits an error when the limit is exceeded, rather than merely logging a warning - **BB-03**: Cap parser error array at 100 entries to prevent memory DoS — `XMLToSitemapItemStream` now tracks a separate `errorCount` and stops appending to the `errors` array beyond `LIMITS.MAX_PARSER_ERRORS` - **BB-04**: Reject absolute `destinationDir` paths in `simpleSitemapAndIndex` to prevent arbitrary file writes — passing an absolute path (e.g. `/tmp/sitemaps`) now throws immediately with a descriptive error - **BB-05**: `parseSitemapIndex` now destroys source and parser streams immediately when the `maxEntries` limit is exceeded, preventing unbounded memory consumption from large sitemap index files </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuNDYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
renovate added 1 commit 2026-02-28 06:02:45 +00:00
Update dependency sitemap to v9.0.1
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
e2e7a348d4
alazyreader merged commit a523ade3b6 into main 2026-02-28 21:27:32 +00:00
alazyreader deleted branch renovate/sitemap-9.x-lockfile 2026-02-28 21:27:32 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
junebug alazyreader
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: alazyreader/nyc-bookstores#29
Delete Branch "renovate/sitemap-9.x-lockfile"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?