🔒 Security Patch Release
This release backports comprehensive security fixes from 9.0.0 to the 8.0.x branch. Upgrading is strongly recommended for all 8.0.0 users.
✅ Backward Compatibility
- 100% API compatible with 8.0.0
- No breaking changes
- All existing valid inputs continue to work
- Only rejects invalid/malicious inputs
🛡️ Security Fixes
High Priority:
- XML Injection Prevention (XSS protection via enhanced escaping)
- Protocol Injection Prevention (blocks javascript:, data:, file: URLs)
- Path Traversal Prevention (blocks .. sequences)
- Command Injection Fix (xmllint security hardening)
Medium Priority:
- DoS Protection (resource limits, memory exhaustion prevention)
- Input Validation (comprehensive validation for all user inputs)
- XSS Prevention (XSL URL validation)
Infrastructure:
- Added centralized security limits and validation framework
- Enhanced error handling with comprehensive error reporting
📦 Dependencies Updated
sax: ^1.2.4 → ^1.4.1
📊 Testing
- ✅ All 94 tests passing
- ✅ TypeScript compilation successful
- ✅ ESLint clean
📝 Installation
npm install sitemap@8.0.1See CHANGELOG.md for complete details.
🤖 Generated with Claude Code