chore(deps): update dependency xmldom to v0.5.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
xmldom	0.1.31 -> 0.5.0

GitHub Vulnerability Alerts

CVE-2021-21366

Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.5.0 (once it is released)

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

• https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

For more information

If you have any questions or comments about this advisory:

• Open an issue in xmldom/xmldom
• Email us: send an email to all addresses that are shown by npm owner ls xmldom

---

Release Notes

xmldom/xmldom (xmldom)

v0.5.0

Compare Source

Commits

Fixes

• Avoid misinterpretation of malicious XML input - GHSA-h6q6-9hqw-rwfv (CVE-2021-21366)

  • Improve error reporting; throw on duplicate attribute
    BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it's also safer for our users to fail when detecting them.
    It's possible to configure the DOMParser.errorHandler before parsing, to handle those errors differently.

    To accomplish this and also be able to verify it in tests I needed to

    • create a new Error type ParseError and export it
    • Throw ParseError from errorHandler.fatalError and prevent those from being caught in XMLReader.
    • export DOMHandler constructor as __DOMHandler

  • Preserve quotes in DOCTYPE declaration
    Since the only purpose of parsing the DOCTYPE is to be able to restore it when serializing, we decided that it would be best to leave the parsed publicId and systemId as is, including any quotes.
    BREAKING CHANGE: If somebody relies on the actual unquoted values of those ids, they will need to take care of either single or double quotes and the right escaping.
    (Without this change this would not have been possible because the SAX parser already dropped the information about the quotes that have been used in the source.)

    https://www.w3.org/TR/2006/REC-xml11-20060816/#dtd
    https://www.w3.org/TR/2006/REC-xml11-20060816/#IDAX1KS (External Entity Declaration)

• Fix breaking preprocessors' directives when parsing attributes #171

• fix(dom): Escape ]]> when serializing CharData #181

• Switch to (only) MIT license (drop problematic LGPL license option) #178

• Export DOMException; remove custom assertions; etc. #174

Docs

• Update MDN links in readme.md #188

v0.4.0

Compare Source

Commits

Fixes

• BREAKING Restore   behavior from v0.1.27 #67
• BREAKING Typecheck source param before parsing #113
• Include documents in package files list #156
• Preserve doctype with sysid #144
• Remove ES6 syntax from getElementsByClassName #91
• Revert "Add lowercase of åäö in entityMap" due to duplicate entries #84
• fix: Convert all line separators to LF #66

Docs

• Update CHANGELOG.md through version 0.3.0 #63
• Update badges #78
• Add .editorconfig file #104
• Add note about import #79
• Modernize & improve the example in readme.md #81

CI

• Add Stryker Mutator #70
• Add Stryker action to update dashboard #77
• Add Node GitHub action workflow #64
• add & enable eslint #106
• Use eslint-plugin-es5 to enforce ES5 syntax #107
• Recover vows tests, drop proof tests #59
• Add jest tessuite and first tests #114
• Add jest testsuite with xmltest cases #112
• Configure Renovate #108
• Test European HTML entities #86
• Updated devDependencies

Other

• Remove files that are not of any use #131, #65, #33

v0.3.0

Compare Source

Commits

• BREAKING Node >=10.x is now required.
• BREAKING Remove component.json (deprecated package manager https://github.com/componentjs/guide)
• BREAKING Move existing sources into lib subdirectory.
• POSSIBLY BREAKING Introduce files entry in package.json and remove use of .npmignore.
• Add Document.getElementsByClassName.
• Add Node to the list of exports
• Add lowercase of åäö in entityMap.
• Move CHANGELOG to markdown file.
• Move LICENSE to markdown file.

v0.2.1

Compare Source

Commits

• Correct homepage, repository and bugs URLs in package.json.

v0.2.0

Compare Source

Commits

• Includes all BREAKING changes introduced in [email protected] by the original authors.
• POSSIBLY BREAKING remove the Object.create check from the _extends method of dom.js that added a __proto__ property ().
• POSSIBLY BREAKING remove code that added a __proto__ property
• formatting/corrections in package.json

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.