-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] Upgrade @xmldom/xmldom from 0.7.9 to 0.8.6 #1
base: master
Are you sure you want to change the base?
Conversation
Snyk has created this PR to upgrade @xmldom/xmldom from 0.7.9 to 0.8.6. See this package in npm: https://www.npmjs.com/package/@xmldom/xmldom See this project in Snyk: https://app.snyk.io/org/jerk400/project/30dcbbc9-093b-4711-ace3-bdfebdfca6b6?utm_source=github&utm_medium=referral&page=upgrade-pr
New dependency changes detected. Learn more about Socket for GitHub ↗︎ 🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again. Bot CommandsTo ignore an alert, reply with a comment starting with
|
Package | Previous Chronological | Previous Semver | Source |
---|---|---|---|
@xmldom/xmldom@0.8.6 (upgraded) | @xmldom/xmldom@0.9.0-beta.6 (11/3/2022, 8:00:45 AM) | @xmldom/xmldom@0.8.5 (10/31/2022, 8:56:40 AM) | package-lock.json , package.json |
Pull request alert summary
📊 Modified Dependency Overview:
⬆️ Updated Package | Version Diff | Added Capability Access | +/- Transitive Count |
Publisher |
---|---|---|---|---|
@xmldom/xmldom@0.8.6 | 0.7.9...0.8.6 | None | +0/-0 |
karfau |
Snyk has created this PR to upgrade @xmldom/xmldom from 0.7.9 to 0.8.6.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Release notes
Package name: @xmldom/xmldom
Commits
Fixed
#457
/#455
/#456
Thank you, @ edemaine, @ pedro-l9, for your contributions
Commits
Fixed
#452
/#453
Thank you, @ fengxinming, for your contributions
Commits
Fixed
CVE-2022-39353
In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like
<
and>
are encoded accordingly.In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
Related Spec: https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity
Thank you, @ frumioj, @ cjbarth, @ markgollnick for your contributions
commits
Fixed
#485
/#486
Thank you, @ bulandent, for your contributions
Commits
Fixed
#457
/#455
/#456
Thank you, @ edemaine, @ pedro-l9, for your contributions
Commit messages
Package name: @xmldom/xmldom
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs