Bump the npm_and_yarn group across 1 directory with 28 updates

[dependabot]

Bumps the npm_and_yarn group with 23 updates in the / directory:

Package	From	To
@babel/runtime	7.23.8	7.29.2
axios	0.27.2	0.31.1
lodash	4.17.21	4.18.1
postcss	8.4.47	8.5.10
socket.io-parser	4.2.4	4.2.6
socket.io-parser	3.3.3	3.3.5
socket.io-parser	3.4.2	3.4.4
brace-expansion	1.1.11	1.1.14
@tootallnate/once	2.0.0	removed
ajv	6.12.6	6.15.0
bn.js	5.2.1	5.2.3
bn.js	4.12.0	4.12.3
cipher-base	1.0.4	1.0.7
http-proxy-middleware	2.0.6	2.0.9
immutable	4.3.0	4.3.8
min-document	2.19.0	2.19.2
node-forge	1.3.1	1.4.0
on-headers	1.0.2	1.1.0
path-to-regexp	0.1.7	0.1.13
pbkdf2	3.1.2	3.1.5
picomatch	2.3.1	2.3.2
svgo	2.8.0	2.8.2
yaml	1.10.2	1.10.3
yaml	2.5.1	2.8.4
underscore	1.13.7	1.13.8
validator	13.12.0	13.15.35
webpack	5.76.0	5.106.2

Updates @babel/runtime from 7.23.8 to 7.29.2

Release notes

Sourced from @​babel/runtime's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

... (truncated)

Commits

• 37d5595 v7.29.2
• d7f4008 v7.28.6
• 35055e3 v7.28.4
• ef155f5 v7.28.3
• cac0ff4 v7.28.2
• f68ac51 chore: Avoid CITGM errors (#17382)
• baa4cb8 v7.27.6
• 7d06930 v7.27.4
• 5b9468d Reduce regenerator size more (#17287)
• cb78b5b [babel 8] Do not replace global regeneratorRuntime references in regenerato...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/runtime since your current version.

Updates axios from 0.27.2 to 0.31.1

Release notes

Sourced from axios's releases.

v0.31.1

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

• Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)

🔒 Security Fixes

• Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
• Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
• FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
• Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20 → +) unchanged. (#10737)
• Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)

🔧 Maintenance & Chores

• CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)

Full Changelog

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

• Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

• CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

• TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

• Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

• Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​nakataki17 (#6253)
• @​gmasclet (#6484)
• @​shaanmajid (#10638, #10639, #10667)
• @​ivan-churakov (#7328)

Full Changelog

... (truncated)

Commits

• a589dc5 chore: bump version to v0.31.1 (#10766)
• b0c632f fix: backport security issues (#10764)
• b52187f fix: harden config merging (#10752)
• e3ddeb4 fix: header security issues (#10750)
• f4f2d76 chore: stop committing dist/ and remove bower (#10747)
• 1f2f644 chore: add CODEOWNERS (#10740)
• 44bca90 fix: improve regex in AxiosURLSearchParams (#10737)
• 4c4f07f fix: form data recursion (#10728)
• 5073eca chore: release v0.31.0 (#10697)
• b57eb1a ci: update branch name (#10692)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates postcss from 8.4.47 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"
</tr></table>

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

• Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

8.4.49

• Fixed custom syntax without source.offset (by @​romainmenke).

... (truncated)

Commits

• 33b9790 Release 8.5.10 version
• 536c79e Escape </style> in CSS output (#2074)
• afa96b2 Update dependencies (#2073)
• effe88b Typo (#2072)
• 3ee79a2 Thread model (#2071)
• 2e0683d Create incident response docs (#2070)
• fe88ac2 Release 8.5.9 version
• c551632 Avoid RegExp when we can use simple JS
• 89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
• 6ceb8a4 Create SECURITY.md
• Additional commits viewable in compare view

Updates socket.io-parser from 4.2.4 to 4.2.6

Release notes

Sourced from socket.io-parser's releases.

socket.io-parser@4.2.6

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

• add a limit to the number of binary attachments (b25738c)

socket.io-parser@4.2.5

This release contains a bump of debug from ~4.3.1 to ~4.4.1.

Commits

• 522edcd chore(release): socket.io-parser@4.2.6
• 3fff7ca fix(parser): add a limit to the number of binary attachments
• 37aad11 fix: cleanup pending acks on timeout to prevent memory leak
• ba9cd69 revert: fix: cleanup pending acks on timeout to prevent memory leak
• 84c2fb7 chore(release): engine.io@6.6.6
• 07cbe15 fix(eio): add @​types/ws as dependency (#5458)
• 44ed73f fix(eio): emit initial_headers and headers events in uServer (#5460)
• da04267 fix: cleanup pending acks on timeout to prevent memory leak (#5442)
• 74599a6 fix(types): properly import http module
• d48718c ci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for socket.io-parser since your current version.

Updates socket.io-parser from 3.3.3 to 3.3.5

Release notes

Sourced from socket.io-parser's releases.

socket.io-parser@4.2.6

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

• add a limit to the number of binary attachments (b25738c)

socket.io-parser@4.2.5

This release contains a bump of debug from ~4.3.1 to ~4.4.1.

Commits

• 522edcd chore(release): socket.io-parser@4.2.6
• 3fff7ca fix(parser): add a limit to the number of binary attachments
• 37aad11 fix: cleanup pending acks on timeout to prevent memory leak
• ba9cd69 revert: fix: cleanup pending acks on timeout to prevent memory leak
• 84c2fb7 chore(release): engine.io@6.6.6
• 07cbe15 fix(eio): add @​types/ws as dependency (#5458)
• 44ed73f fix(eio): emit initial_headers and headers events in uServer (#5460)
• da04267 fix: cleanup pending acks on timeout to prevent memory leak (#5442)
• 74599a6 fix(types): properly import http module
• d48718c ci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for socket.io-parser since your current version.

Updates socket.io-parser from 3.4.2 to 3.4.4

Release notes

Sourced from socket.io-parser's releases.

socket.io-parser@4.2.6

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

• add a limit to the number of binary attachments (b25738c)

socket.io-parser@4.2.5

This release contains a bump of debug from ~4.3.1 to ~4.4.1.

Commits

• 522edcd chore(release): socket.io-parser@4.2.6
• 3fff7ca fix(parser): add a limit to the number of binary attachments
• 37aad11 fix: cleanup pending acks on timeout to prevent memory leak
• ba9cd69 revert: fix: cleanup pending acks on timeout to prevent memory leak
• 84c2fb7 chore(release): engine.io@6.6.6
• 07cbe15 fix(eio): add @​types/ws as dependency (#5458)
• 44ed73f fix(eio): emit initial_headers and headers events in uServer (#5460)
• da04267 fix: cleanup pending acks on timeout to prevent memory leak (#5442)
• 74599a6 fix(types): properly import http module
• d48718c ci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for socket.io-parser since your current version.

Updates brace-expansion from 1.1.11 to 1.1.14

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 10c05fc 1.1.14
• 1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
• 2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
• 0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Removes @tootallnate/once

Updates @xmldom/xmldom from 0.7.13 to 0.9.10

Release notes

Sourced from @​xmldom/xmldom's releases.

0.9.10

Commits

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

Commits

Added

• implement ParentNode.children getter [#960](https://github.com/xmldom/xmldom/issues/960) / [#410](https://github.com/xmldom/xmldom/issues/410)

Fixed

• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp
• correctly traverse ancestor chain in Node.contains [#931](https://github.com/xmldom/xmldom/issues/931)

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

• updated dependencies

Thank you, @​stevenobiajulu,

... (truncated)

Changelog

Sourced from @​xmldom/xmldom's changelog.

0.9.10

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.8.13

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

... (truncated)

Commits

• bf396a5 0.9.10
• 78f6089 test: add missing serializer coverage for nodeFilter string return, Attribute...
• 192ce5b ci: remove unused imports flagged by CodeQL
• ca81c06 test: lower stack size for tests
• c9d5937 style: npm run format
• 1537fb4 docs: add 0.9.10 changelog entry
• afd6f6f docs: add 0.8.13 changelog entry
• afeb4ee refactor: align error mesage between branches
• 4845ef1 fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)
• dfb94a4 test: add missing isEqualNode behavioral coverage
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.

Updates ajv from 6.12.6 to 6.15.0

Commits

• 184bc32 6.15.0
• fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates bn.js from 5.2.1 to 5.2.3

Changelog

Sourced from bn.js's changelog.

5.2.3 / 2026-02-19

• fix: imaskn state (#317)

5.2.2 / 2025-04-25

• fix: imuln/muln with zero (#313)

Commits

• ea6c072 5.2.3
• 33df26b fix imaskn state (#317)
• 6db7c38 5.2.2
• c7e1a53 Fix imuln/muln with zero (#313)
• 4cc0bfa docs: mention the max plain JS number argument value (