chore(deps): bump @xmldom/xmldom from 0.9.9 to 0.9.10 (#1407)

Bumps @xmldom/xmldom from 0.9.9 to 0.9.10.

Release notes

Sourced from @xmldom/xmldom's releases.

0.9.10

Commits

Fixed

Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h

Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production

ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>

DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>

Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

updated dependencies

Thank you, @Jvr2022, @praveen-kv, @TharVid, @decsecre583, @tlsbollei, @KarimTantawey, for your contributions

Changelog

Sourced from @xmldom/xmldom's changelog.

0.9.10

Fixed

Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h

Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production

ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>

DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>

Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

updated dependencies

Thank you, @Jvr2022, @praveen-kv, @TharVid, @decsecre583, @tlsbollei, @KarimTantawey, for your contributions

0.8.13

Fixed

Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h

Comment: throws when data contains -->

ProcessingInstruction: throws when data contains ?>

DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>

Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @Jvr2022, @praveen-kv, @TharVid, @decsecre583, @tlsbollei, @KarimTantawey, for your contributions

Commits

bf396a5 0.9.10
78f6089 test: add missing serializer coverage for nodeFilter string return, Attribute...
192ce5b ci: remove unused imports flagged by CodeQL
ca81c06 test: lower stack size for tests
c9d5937 style: npm run format
1537fb4 docs: add 0.9.10 changelog entry
afd6f6f docs: add 0.8.13 changelog entry
afeb4ee refactor: align error mesage between branches
4845ef1 fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)
dfb94a4 test: add missing isEqualNode behavioral coverage
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by karfau, a new releaser for @xmldom/xmldom since your current version.

Dependabot will resolve any conflicts with this PR as long as you don’t alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

AWS Cloud Development Kit (AWS CDK) Toolkit

The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation.

The AWS CDK consists of two main components:

a class library, that you use to to model your infrastructure in code; and
a toolkit, consisting of a CLI or a programmatic library, to act on those models.

This repository contains the code for the toolkit components. The class library repository is the main repository for the CDK project.

Getting Help

The best way to interact with our team is through GitHub, on the aws-cdk repository. You can open an issue and choose from one of our templates for bug reports, feature requests, documentation issues, or guidance.

If you have a support plan with AWS Support, you can also create a new support case.

You may also find help on these community resources:

Look through the API Reference or Developer Guide
The #aws-cdk Slack channel in cdk.dev
Ask a question on Stack Overflow and tag it with aws-cdk

Contributing

We welcome community contributions and pull requests. See CONTRIBUTING.md for information on how to set up a development environment and submit code.

Structure of this repository

Here are the packages in this repository. See the README of each package for more information about it:

Package	Description	Published?	Maintained?
aws-cdk	The CDK Toolkit CLI, main CLI interface to CDK projects.	Yes	Yes
@aws-cdk/toolkit-lib	A programmatic interface for the CDK Toolkit.	Yes	Yes
cdk	An alias for `aws-cdk` so you can run `npx cdk` even if it’s not installed.	Yes	Yes
cdk-assets v3	CLI component handling asset uploads, also used as a CLI in CDK Pipelines	Yes	Yes
@aws-cdk/cloud-assembly-schema	The contract between the CDK construct library and the CDK toolkit	Yes	Yes
@aws-cdk/cloudformation-diff	CLI component for diffing CloudFormation templates	Yes	Yes
@aws-cdk/cli-plugin-contract	TypeScript types for CLI plugins.	Yes	Yes
@aws-cdk/cdk-cli-wrapper	A deprecated attempt at building a programmatic interface for the CLI	No	No
@aws-cdk/node-bundle	A tool to build CLI bundles that include license attributions.	No	Yes
@aws-cdk/user-input-gen	A build tool for the CLI and toolkit-lib.	No	Yes
@aws-cdk/yarn-cling	A deprecated build tool for the CLI.	No	No

Every package comes with its own unit tests. There is a companion repository to this one containing the integration tests. You can find it here: https://github.com/aws/aws-cdk-cli-testing

See the contributing guide for more information on this repository.

Compatibility

The CLI is always able to process CDK apps using a version of the Construct Library released before it. We recommend you always keep the CLI version up-to-date to get the latest features.

For more details on the compatibility model and specific versions that work together, see COMPATIBILITY.md.