Skip to content

fix(deps): update dependency @xmldom/xmldom to ^0.9.0#443

Open
renovate[bot] wants to merge 1 commit into
chore/all-my-stuffsfrom
renovate/xmldom-xmldom-0.x
Open

fix(deps): update dependency @xmldom/xmldom to ^0.9.0#443
renovate[bot] wants to merge 1 commit into
chore/all-my-stuffsfrom
renovate/xmldom-xmldom-0.x

Conversation

@renovate

@renovate renovate Bot commented Jul 10, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
@xmldom/xmldom ^0.8.13^0.9.0 age confidence

Release Notes

xmldom/xmldom (@​xmldom/xmldom)

v0.9.10

Compare Source

Fixed
  • Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
    • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
    • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
    • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
  • Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
  • isEqualNode now correctly returns false for CDATASection nodes with different data
Deprecated
  • The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.
Chore
  • updated dependencies

Thank you,
@​Jvr2022,
@​praveen-kv,
@​TharVid,
@​decsecre583,
@​tlsbollei,
@​KarimTantawey,
for your contributions

v0.9.9

Compare Source

Added
  • implement ParentNode.children getter #960 / #410
Fixed
  • Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
  • Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp
  • correctly traverse ancestor chain in Node.contains #931

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore
  • updated dependencies

Thank you,
@​stevenobiajulu,
@​yoshi389111,
@​thesmartshadow,
for your contributions

v0.9.8

Compare Source

Fixed
  • fix: replace \u2029 as part of normalizeLineEndings #839 / #838
  • perf: speed up line detection #847 / #838
Chore
  • updated dependencies
  • drop jazzer and rxjs devDependencies #845

Thank you,
@​kboshold,
@​Ponynjaa,
for your contributions.

v0.9.7

Compare Source

Added
  • Implementation of hasAttributes #804
Fixed
  • locator is now true even when other options are being used for the DOMParser #802 / #803
  • allow case-insensitive DOCTYPE in HTML #817 / #819
Performance
  • simplify DOM.compareDocumentPosition #805
Chore
  • updated devDependencies

Thank you,
@​zorkow,
@​Ponynjaa,
@​WesselKroos,
for your contributions.

v0.9.6

Compare Source

Fixed
  • lower error level for unicode replacement character #790 / #794 / #797
Chore
  • updated devDependencies
  • migrate renovate config #792

Thank you, @​eglitise, for your contributions.

v0.9.5

Compare Source

Fixed
  • fix: re-index childNodes on insertBefore #763 / #766

Thank you,
@​mureinik,
for your contributions.

v0.9.4

Compare Source

Fixed
  • restore performance for large amount of child nodes #748 / #760
  • types: correct error handler level to warning (#​759) #754 / #759
Docs
  • test: verify BOM handling #758

Thank you,
@​luffynando,
@​mattiasw,
@​JoinerDev,
for your contributions.

v0.9.3

Compare Source

Fixed
  • restore more Node and ProcessingInstruction types #725 / #726
  • getElements* methods return LiveNodeList<Element> #731 / #734
  • Add more missing Node props #728, triggered by unclosed #724
Docs
Chore
  • updates devDependencies

Thank you,
@​Ponynjaa,
@​ayZagen,
@​sserdyuk,
@​wydengyre,
@​mykola-mokhnach,
@​benkroeger,
for your contributions.

v0.9.2

Compare Source

Feature
  • add Element.getElementsByClassName #722
Fixed
  • add missing types for Document.documentElement and Element.tagName #721 #720

Thank you, @​censujiang, @​Mathias-S, for your contributions

v0.9.1

Compare Source

Fixed
  • Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
    • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
    • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
    • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
  • Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
  • isEqualNode now correctly returns false for CDATASection nodes with different data
Deprecated
  • The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.
Chore
  • updated dependencies

Thank you,
@​Jvr2022,
@​praveen-kv,
@​TharVid,
@​decsecre583,
@​tlsbollei,
@​KarimTantawey,
for your contributions

v0.9.0

Compare Source

Features
  • feat: expose all DOM level 2 element prototypes #637 / #40
  • feat: add iterator function to NodeList and NamedNodeMap #634 / #633
Fixed
  • parse empty/whitspace only doctype internal subset #692
  • avoid prototype clash in namespace prefix #554
  • report fatalError when doctype is inside elements #550
Other
  • test: add fuzz target and regression tests #556
  • chore: improve .gitignore and provide .envrc.template #697
  • chore: Apply security best practices #546
  • ci: check test coverage in PRs #524
  • docs: add missing commas to readme #566
  • docs: click to copy install command in readme #644
  • docs: enhance jsdoc comments #511

Thank you, @​kboshold, @​edi9999, @​apupier,
@​shunkica, @​homer0, @​jhauga,
@​UdayKharatmol, for your contributions


Configuration

📅 Schedule: (in timezone Europe/Paris)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@sharevb sharevb force-pushed the chore/all-my-stuffs branch 3 times, most recently from 1cc77eb to 02df0f3 Compare July 11, 2026 15:17
@renovate renovate Bot force-pushed the renovate/xmldom-xmldom-0.x branch from af0a10e to e3a741c Compare July 12, 2026 11:41
@sharevb sharevb force-pushed the chore/all-my-stuffs branch 2 times, most recently from 41fa755 to 0620f57 Compare July 12, 2026 14:58
@renovate renovate Bot force-pushed the renovate/xmldom-xmldom-0.x branch from e3a741c to f9276cf Compare July 12, 2026 16:21
@sharevb sharevb force-pushed the chore/all-my-stuffs branch from e7d0ce8 to 41464cf Compare July 12, 2026 19:04
@renovate renovate Bot force-pushed the renovate/xmldom-xmldom-0.x branch from f9276cf to 52afc7c Compare July 12, 2026 19:10
@sharevb sharevb force-pushed the chore/all-my-stuffs branch from 138e700 to c6447be Compare July 12, 2026 21:05
@renovate renovate Bot force-pushed the renovate/xmldom-xmldom-0.x branch from 52afc7c to 11a38a1 Compare July 12, 2026 21:09
@sharevb sharevb force-pushed the chore/all-my-stuffs branch from c6447be to 23dc0d4 Compare July 12, 2026 21:11
@renovate renovate Bot force-pushed the renovate/xmldom-xmldom-0.x branch from 11a38a1 to cc89dc6 Compare July 12, 2026 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants