Sourced from axios's releases.

v0.32.0 — May 4, 2026

This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

⚠️ Breaking Changes & Deprecations

• Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)

🔒 Security Fixes

• Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
• Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
• Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
• Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
• Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
• URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
• Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)

🔧 Maintenance & Chores

• Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)

Full Changelog

v0.31.1

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

• Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)

🔒 Security Fixes

• Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
• Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
• FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
• Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20 → +) unchanged. (#10737)
• Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)

🔧 Maintenance & Chores

• CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)

Full Changelog

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

... (truncated)

• 8db2d44 chore: bump version to v0.32.0 (#10840)
• 2af6116 chore: backport fixes from the v1x branch (#10838)
• a589dc5 chore: bump version to v0.31.1 (#10766)
• b0c632f fix: backport security issues (#10764)
• b52187f fix: harden config merging (#10752)
• e3ddeb4 fix: header security issues (#10750)
• f4f2d76 chore: stop committing dist/ and remove bower (#10747)
• 1f2f644 chore: add CODEOWNERS (#10740)
• 44bca90 fix: improve regex in AxiosURLSearchParams (#10737)
• 4c4f07f fix: form data recursion (#10728)
• Additional commits viewable in compare view

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Sourced from tinymce's changelog.

7.9.3 - 2026-05-19

Security

• Fixed media plugin data-mce-object injection leading to stored XSS. #TINY-14357
• Fixed stored XSS vulnerability through mce:protected comments. #TINY-14353
• Fixed stored XSS vulnerability through data-mce- prefixed src, href, style attributes. #TINY-14333

7.9.2 - 2026-02-11

Deprecated

• The default value of allow_html_in_comments will change from true to false in TinyMCE 8.x. #TINY-11900

Security

• Updated dependencies and parsing logic for enhanced content sanitization. HTML-like content in comments and certain legacy patterns are now sanitized more strictly when xss_sanitization is enabled (default). The Introduced allow_html_in_comments option provides control over comment node sanitization behavior. #TINY-11900
• Introduced allow_html_in_comments option (boolean, default: true) to control handling of HTML-like syntax in comment nodes. This option will default to false in TinyMCE 8.x. #TINY-11900

7.9.1 - 2025-05-29

Improved

• Update Notices file and minified notices. #TINY-12091

7.9.0 - 2025-05-15

Added

• Added new disc style option for unordered lists. #TINY-12015

Improved

• The resize cursor now points in the correct direction for each resize mode. Patch contributed by daniloff200. ##GH-10189
• If style_formats is empty, the button is now disabled. #TINY-12005
• Inline dialog dropdowns reposition when the dialog is dragged or the window is scrolled. #TINY-11368
• Bullet list icons were have been updated to better represent the default styles. #TINY-12014

Changed

• The ContextFormSizeInput lock button is now centered instead of aligned to the end. #TINY-11916
• Changed the default value of advlist_bullet_styles option to default,disc,circle,square. #TINY-12083

Fixed

• Autolink no longer overrides already existing links when autolinking. #TINY-11836
• Removed the deprecated CSS media selector -ms-high-contrast. #TINY-11876
• The mceInsertContent command no longer deletes the parent block element when an anchor is selected. #TINY-11953
• Table resizers are now visible when inline editor has a z-index property. #TINY-11981
• Tabbing inside a figcaption element no longer displays two text insertion carets. #TINY-11997
• Pressing Enter before a floating image no longer duplicates the image. #TINY-11676
• Editor did not scroll into viewport on receiving focus on Chrome and Safari. #TINY-12017
• Select UI elements was not properly styled on Chrome version 136. #TINY-12131

7.8.0 - 2025-04-09

Added

... (truncated)

• 9dac5bb TINY-14334: Fix failing test for 7.9.3 patch release
• 710d12b TINY-14334: Lint fix for 7.9.3 patch release
• 76f8454 TINY-14334: Add changelog for 7.9.3 patch release
• 1d4c86b TINY-14357: Fixed data-mce-object injection (#19)
• 0029dad TINY-14333: Fixed stored XSS vulnerability through data-mce- prefixed src...
• a7d7701 TINY-14353: Fixed stored XSS vulnerability through mce:protected comments (...
• 58475df TINY-13699: Bump package.json for next release
• fa9eb9d TINY-13699: Add changelog for 7.9.2 patch release (#10888)
• c323038 TINY-12247: Fix flaky tests (#10521)
• df337f6 TINY-13655: Fix failing tests in firefox (#10859)
• Additional commits viewable in compare view

This version was pushed to npm by tinymce, a new releaser for tinymce since your current version.

Sourced from postcss's releases.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"
</tr></table>

... (truncated)

Sourced from postcss's changelog.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

• Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

8.4.49

• Fixed custom syntax without source.offset (by @​romainmenke).

... (truncated)

• 33b9790 Release 8.5.10 version
• 536c79e Escape </style> in CSS output (#2074)
• afa96b2 Update dependencies (#2073)
• effe88b Typo (#2072)
• 3ee79a2 Thread model (#2071)
• 2e0683d Create incident response docs (#2070)
• fe88ac2 Release 8.5.9 version
• c551632 Avoid RegExp when we can use simple JS
• 89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
• 6ceb8a4 Create SECURITY.md
• Additional commits viewable in compare view

Sourced from @​babel/plugin-transform-modules-systemjs's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

• 4fba754 v7.29.7
• a458f66 v7.29.4
• 32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
• aa8394e v7.29.0
• 0053db6 Update polyfill packages (#17727)
• 61647ae v7.28.5
• a177d55 [Babel 8] Use t.traverseFast to replace some path.traverse (#17518)
• eebd3a0 v7.27.1
• 317e332 Enforce node protocol import (#17207)
• fdc0fb5 [Babel 8] Bump nodejs requirements to ^20.19.0 || >= 22.12.0 (#17204)
• Additional commits viewable in compare view

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/plugin-transform-modules-systemjs since your current version.

Sourced from socket.io-parser's releases.

socket.io-parser@4.2.6

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

• add a limit to the number of binary attachments (b25738c)

socket.io-parser@4.2.5

This release contains a bump of debug from ~4.3.1 to ~4.4.1.

• 522edcd chore(release): socket.io-parser@4.2.6
• 3fff7ca fix(parser): add a limit to the number of binary attachments
• 37aad11 fix: cleanup pending acks on timeout to prevent memory leak
• ba9cd69 revert: fix: cleanup pending acks on timeout to prevent memory leak
• 84c2fb7 chore(release): engine.io@6.6.6
• 07cbe15 fix(eio): add @​types/ws as dependency (#5458)
• 44ed73f fix(eio): emit initial_headers and headers events in uServer (#5460)
• da04267 fix: cleanup pending acks on timeout to prevent memory leak (#5442)
• 74599a6 fix(types): properly import http module
• d48718c ci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)
• Additional commits viewable in compare view

This version was pushed to npm by GitHub Actions, a new releaser for socket.io-parser since your current version.

Sourced from socket.io-parser's releases.

socket.io-parser@4.2.6

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

• add a limit to the number of binary attachments (b25738c)

socket.io-parser@4.2.5

This release contains a bump of debug from ~4.3.1 to ~4.4.1.

• 522edcd chore(release): socket.io-parser@4.2.6
• 3fff7ca fix(parser): add a limit to the number of binary attachments
• 37aad11 fix: cleanup pending acks on timeout to prevent memory leak
• ba9cd69 revert: fix: cleanup pending acks on timeout to prevent memory leak
• 84c2fb7 chore(release): engine.io@6.6.6
• 07cbe15 fix(eio): add @​types/ws as dependency (#5458)
• 44ed73f fix(eio): emit initial_headers and headers events in uServer (#5460)
• da04267 fix: cleanup pending acks on timeout to prevent memory leak (#5442)
• 74599a6 fix(types): properly import http module
• d48718c ci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)
• Additional commits viewable in compare view

This version was pushed to npm by GitHub Actions, a new releaser for socket.io-parser since your current version.

Sourced from socket.io-parser's releases.

socket.io-parser@4.2.6

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

• add a limit to the number of binary attachments (b25738c)

socket.io-parser@4.2.5

This release contains a bump of debug from ~4.3.1 to ~4.4.1.

• 522edcd chore(release): socket.io-parser@4.2.6
• 3fff7ca fix(parser): add a limit to the number of binary attachments
• 37aad11 fix: cleanup pending acks on timeout to prevent memory leak
• ba9cd69 revert: fix: cleanup pending acks on timeout to prevent memory leak
• 84c2fb7 chore(release): engine.io@6.6.6
• 07cbe15 fix(eio): add @​types/ws as dependency (#5458)
• 44ed73f fix(eio): emit initial_headers and headers events in uServer (#5460)
• da04267 fix: cleanup pending acks on timeout to prevent memory leak (#5442)
• 74599a6 fix(types): properly import http module
• d48718c ci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)
• Additional commits viewable in compare view

This version was pushed to npm by GitHub Actions, a new releaser for socket.io-parser since your current version.

Sourced from @​tootallnate/once's releases.

v2.0.1

Patch Changes

• a1e5e2d: Fix promise hang when AbortSignal is aborted

Sourced from @​tootallnate/once's changelog.

2.0.1

Patch Changes

• a1e5e2d: Fix promise hang when AbortSignal is aborted

• bcbb21d ci: fix OIDC publishing — Node 24, npm latest, provenance
• dc24387 Version Packages (2.x) (#12)
• b8a6f80 CI: test all Node versions on Linux only
• dabcc0f ci: drop EOL Node.js 14.x/16.x, add 22.x
• b464efc Update CI: modern Node versions, fix macOS ARM64 compat
• a1e5e2d Fix promise hang when AbortSignal is aborted
• See full diff in compare view

This version was pushed to npm by GitHub Actions, a new releaser for @​tootallnate/once since your current version.

Sourced from @​xmldom/xmldom's releases.

0.9.10

Commits

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

Commits

Added

• implement ParentNode.children getter [#960](https://github.com/xmldom/xmldom/issues/960) / [#410](https://github.com/xmldom/xmldom/issues/410)

Fixed

• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp
• correctly traverse ancestor chain in Node.contains [#931](https://github.com/xmldom/xmldom/issues/931)

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

• updated dependencies

Thank you, @​stevenobiajulu,

... (truncated)

Sourced from @​xmldom/xmldom's changelog.

0.9.10

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.8.13

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

... (truncated)

• bf396a5 0.9.10
• 78f6089 test: add missing serializer coverage for nodeFilter string return, Attribute...
• 192ce5b ci: remove unused imports flagged by CodeQL
• ca81c06 test: lower stack size for tests
• c9d5937 style: npm run format
• 1537fb4 docs: add 0.9.10 changelog entry
• afd6f6f docs: add 0.8.13 changelog entry
• afeb4ee refactor: align error mesage between branches
• 4845ef1 fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)
• dfb94a4 test: add missing isEqualNode behavioral coverage
• Additional commits viewable in compare view

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.

Sourced from bn.js's ...

Description has been truncated