Skip to content

Update dependency plist>@xmldom/xmldom to ^0.9.0#9866

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/plist-xmldom-xmldom-0.x
Open

Update dependency plist>@xmldom/xmldom to ^0.9.0#9866
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/plist-xmldom-xmldom-0.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 20, 2026

This PR contains the following updates:

Package Change Age Confidence
plist>@xmldom/xmldom ^0.8.11^0.9.0 age confidence

Release Notes

xmldom/xmldom (plist>@​xmldom/xmldom)

v0.9.10

Compare Source

Fixed
  • Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
    • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
    • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
    • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
  • Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
  • isEqualNode now correctly returns false for CDATASection nodes with different data
Deprecated
  • The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.
Chore
  • updated dependencies

Thank you,
@​Jvr2022,
@​praveen-kv,
@​TharVid,
@​decsecre583,
@​tlsbollei,
@​KarimTantawey,
for your contributions

v0.9.9

Compare Source

Added
  • implement ParentNode.children getter #960 / #410
Fixed
  • Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
  • Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp
  • correctly traverse ancestor chain in Node.contains #931

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore
  • updated dependencies

Thank you,
@​stevenobiajulu,
@​yoshi389111,
@​thesmartshadow,
for your contributions

v0.9.8

Compare Source

Fixed
  • fix: replace \u2029 as part of normalizeLineEndings #839 / #838
  • perf: speed up line detection #847 / #838
Chore
  • updated dependencies
  • drop jazzer and rxjs devDependencies #845

Thank you,
@​kboshold,
@​Ponynjaa,
for your contributions.

v0.9.7

Compare Source

Added
  • Implementation of hasAttributes #804
Fixed
  • locator is now true even when other options are being used for the DOMParser #802 / #803
  • allow case-insensitive DOCTYPE in HTML #817 / #819
Performance
  • simplify DOM.compareDocumentPosition #805
Chore
  • updated devDependencies

Thank you,
@​zorkow,
@​Ponynjaa,
@​WesselKroos,
for your contributions.

v0.9.6

Compare Source

Fixed
  • lower error level for unicode replacement character #790 / #794 / #797
Chore
  • updated devDependencies
  • migrate renovate config #792

Thank you, @​eglitise, for your contributions.

v0.9.5

Compare Source

Fixed
  • fix: re-index childNodes on insertBefore #763 / #766

Thank you,
@​mureinik,
for your contributions.

v0.9.4

Compare Source

Fixed
  • restore performance for large amount of child nodes #748 / #760
  • types: correct error handler level to warning (#​759) #754 / #759
Docs
  • test: verify BOM handling #758

Thank you,
@​luffynando,
@​mattiasw,
@​JoinerDev,
for your contributions.

v0.9.3

Compare Source

Fixed
  • restore more Node and ProcessingInstruction types #725 / #726
  • getElements* methods return LiveNodeList<Element> #731 / #734
  • Add more missing Node props #728, triggered by unclosed #724
Docs
Chore
  • updates devDependencies

Thank you,
@​Ponynjaa,
@​ayZagen,
@​sserdyuk,
@​wydengyre,
@​mykola-mokhnach,
@​benkroeger,
for your contributions.

v0.9.2

Compare Source

Feature
  • add Element.getElementsByClassName #722
Fixed
  • add missing types for Document.documentElement and Element.tagName #721 #720

Thank you, @​censujiang, @​Mathias-S, for your contributions

v0.9.1

Compare Source

Fixed
  • DOMParser.parseFromString requires mimeType as second argument #713
  • correct spelling of isHTMLMimeType in type definition #715 / #712
  • sync types with exports #717 / #285 / #695
Other
  • minimum tested node version is 14 #710

Thank you, @​krystofwoldrich, @​marvinruder, @​amacneil, @​defunctzombie,
@​tjhorner, @​danon, for your contributions

v0.9.0

Compare Source

Features
  • feat: expose all DOM level 2 element prototypes #637 / #40
  • feat: add iterator function to NodeList and NamedNodeMap #634 / #633
Fixed
  • parse empty/whitspace only doctype internal subset #692
  • avoid prototype clash in namespace prefix #554
  • report fatalError when doctype is inside elements #550
Other
  • test: add fuzz target and regression tests #556
  • chore: improve .gitignore and provide .envrc.template #697
  • chore: Apply security best practices #546
  • ci: check test coverage in PRs #524
  • docs: add missing commas to readme #566
  • docs: click to copy install command in readme #644
  • docs: enhance jsdoc comments #511

Thank you, @​kboshold, @​edi9999, @​apupier,
@​shunkica, @​homer0, @​jhauga,
@​UdayKharatmol, for your contributions

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 3am"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies PRs or issues relating to dependencies renovate labels May 20, 2026
@renovate renovate Bot changed the title chore(deps): update dependency plist>@xmldom/xmldom to ^0.9.0 Update dependency plist>@xmldom/xmldom to ^0.9.0 May 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies PRs or issues relating to dependencies renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants