Release 0.8.x

[karfau]

All changes

0.8.12

Fixed

• preserve trailing whitespace in ProcessingInstruction data #962 / #42
• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Thank you,
@thesmartshadow,
@stevenobiajulu,
for your contributions

0.8.11

Fixed

• update ownerDocument when moving nodes between documents #933 / #932

Thank you, @shunkica, for your contributions

0.8.10

Fixed

• dom: prevent iteration over deleted items #514/ #499

Thank you, @qtow, for your contributions

0.8.9

Fixed

• Set nodeName property in ProcessingInstruction #509 / #505

Thank you, @cjbarth, for your contributions

0.8.8

Fixed

• extend list of HTML entities #489

Thank you, @zorkow, for your contributions

0.8.7

Fixed

• properly parse closing where the last attribute has no value #485 / #486

Thank you, @bulandent, for your contributions

0.8.6

Fixed

• Properly check nodes before replacement #457 / #455 / #456

Thank you, @edemaine, @pedro-l9, for your contributions

0.8.5

Fixed

• fix: Restore ES5 compatibility #452 / #453

Thank you, @fengxinming, for your contributions

0.8.4

Fixed

• Security: Prevent inserting DOM nodes when they are not well-formed CVE-2022-39353
  In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like < and > are encoded accordingly.
  In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
  This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
  Related Spec: https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity

Thank you, @frumioj, @cjbarth, @markgollnick for your contributions

0.8.3

Fixed

• Avoid iterating over prototype properties #437 / #436

Thank you, @Supraja9726, for your contributions

0.8.2

Release 0.8.2

Fixed

• fix(dom): Serialize > as specified (fix(dom): Serialize > as specified #395) #58

Other

• docs: Add nodeType values to public interface description #396
• test: Add executable examples for node and typescript #317
• chore: Add minimal Object.assign ponyfill #379
• docs: Refine release documentation #378
• chore: update various dev dependencies

Thank you @niklasl, @cburatto, @SheetJSDev, @pyrsmk for your contributions

0.8.1

Release 0.8.1

Fixes

• Only use own properties in entityMap #374

Docs

• Add security policy #365
• changelog: Correct contributor name and link #366
• Describe release/publish steps #358, #376
• Add snyk package health badge #360

---

0.8.0

Release 0.8.0

Fixed

• Normalize all line endings according to XML specs 1.0 and 1.1
  BREAKING CHANGE: Certain combination of line break characters are normalized to a single \n before parsing takes place and will no longer be preserved.
  • #303 / #307
  • #49, #97, #324 / #314
• XMLSerializer: Preserve whitespace character references #284 / #310
  BREAKING CHANGE: If you relied on the not spec compliant preservation of literal \t, \n or \r in attribute values.
  To preserve those you will have to create XML that instead contains the correct numerical (or hexadecimal) equivalent (e.g. 	, 
, 
).
• Drop deprecated exports DOMImplementation and XMLSerializer from lib/dom-parser.js #53 / #309
  BREAKING CHANGE: Use the one provided by the main package export.
• dom: Remove all links as part of removeChild #343 / #355

Chore

• ci: Restore latest tested node version to 16.x #325
• ci: Split test and lint steps into jobs #111 / #304
• Pinned and updated devDependencies

Thank you @marrus-sh, @victorandree, @mdierolf, @tsabbay, @fatihpense for your contributions

[karfau]

Just to make this more visible:
There is a related discussion regarding the recent breaking changes 0.8.4 should not have been a minor release