Skip to content

Bump @xmldom/xmldom from 0.7.13 to 0.8.13#16038

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/xmldom/xmldom-0.8.13
Open

Bump @xmldom/xmldom from 0.7.13 to 0.8.13#16038
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/xmldom/xmldom-0.8.13

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 23, 2026
edited by microsoft-github-policy-service Bot
Loading

Bumps @xmldom/xmldom from 0.7.13 to 0.8.13.

Release notes

Sourced from @​xmldom/xmldom's releases.

0.8.13

Commits

Fixed

  • Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
    • Comment: throws when data contains -->
    • ProcessingInstruction: throws when data contains ?>
    • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
  • Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.8.12

Commits

Fixed

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Thank you, @​thesmartshadow, @​stevenobiajulu, for your contributions

xmldom/xmldom#357

0.8.11

0.8.11

Fixed

Thank you, @​shunkica, for your contributions

0.8.10

Commits

... (truncated)

Changelog

Sourced from @​xmldom/xmldom's changelog.

0.8.13

Fixed

  • Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
    • Comment: throws when data contains -->
    • ProcessingInstruction: throws when data contains ?>
    • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
  • Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

Added

Fixed

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

  • updated dependencies

Thank you, @​stevenobiajulu, @​yoshi389111, @​thesmartshadow, for your contributions

0.8.12

Fixed

... (truncated)

Commits
  • e5c1480 0.8.13
  • 9611e20 style: drop unused import in test file
  • dc4dff3 docs: add 0.8.13 changelog entry
  • 842fa38 fix: prevent stack overflow in normalize (GHSA-2v35-w6hq-6mfw)
  • aeff69f test: add normalize behavioral coverage to node.test.js
  • cbdb0d7 fix: make walkDOM iterative to prevent stack overflow (GHSA-2v35-w6hq-6mfw)
  • 0b543d3 test: assert namespace declarations are isolated between siblings in serializ...
  • c007c51 refactor: migrate serializeToString to walkDOM
  • 2bb3899 test: add serializeToString coverage for uncovered branches
  • e69f38d refactor: migrate importNode to walkDOM
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.
###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com//pull/16038)

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 23, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 23, 2026 00:15
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 23, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 23, 2026
edited
Loading

Performance Test Results

Branch: dependabot/npm_and_yarn/xmldom/xmldom-0.8.13
Commit: ee932c0d
Time: 2026-04-23T22:26:01.512Z
Tests: 160/161 passed

❌ Regressions Detected

SectionList

Scenario Baseline Current Change Status
SectionList rerender 11.60ms 15.80ms +61.9%

SectionList rerender: Duration increased by 61.9% / +6.50ms (threshold: 10% & 3ms)

✅ Passed

147 scenario(s) across 27 suite(s) — no regressions

FlatList

Scenario Mean Median StdDev Renders vs Baseline
FlatList mount 5.20ms 5.00ms ±1.03ms 1 +25.0%
FlatList unmount 0.10ms 0.00ms ±0.32ms 0 +0.0%
FlatList rerender 11.10ms 11.00ms ±1.10ms 2 +22.2%
FlatList with-10-items 4.90ms 5.00ms ±0.74ms 1 +25.0%
FlatList with-100-items 6.00ms 5.00ms ±2.31ms 1 +0.0%
FlatList with-500-items 5.80ms 6.50ms ±1.69ms 1 +62.5%
FlatList with-1000-items 6.40ms 5.50ms ±2.17ms 1 +37.5%
FlatList horizontal 4.60ms 5.00ms ±1.43ms 1 +0.0%
FlatList with-separator 2.70ms 2.00ms ±1.64ms 1 +0.0%
FlatList with-header-footer 1.60ms 2.00ms ±0.52ms 1 +0.0%
FlatList with-empty-list 0.40ms 0.00ms ±0.52ms 1 -100.0%
FlatList with-get-item-layout 2.30ms 2.00ms ±0.48ms 1 +100.0%
FlatList inverted 2.60ms 2.00ms ±2.07ms 1 +33.3%
FlatList with-num-columns 2.60ms 3.00ms ±0.70ms 1 +0.0%

TouchableOpacity

Scenario Mean Median StdDev Renders vs Baseline
TouchableOpacity mount 1.10ms 1.00ms ±0.32ms 1 +0.0%
TouchableOpacity unmount 0.10ms 0.00ms ±0.32ms 0 +0.0%
TouchableOpacity rerender 1.10ms 1.00ms ±0.57ms 2 +0.0%
TouchableOpacity custom-active-opacity 0.60ms 1.00ms ±0.52ms 1 +0.0%
TouchableOpacity disabled 0.70ms 1.00ms ±0.48ms 1 +0.0%
TouchableOpacity with-all-handlers 0.80ms 1.00ms ±0.42ms 1 +0.0%
TouchableOpacity with-hit-slop 0.90ms 1.00ms ±0.32ms 1 +0.0%
TouchableOpacity with-delay 0.70ms 1.00ms ±0.48ms 1 +0.0%
TouchableOpacity nested 1.60ms 2.00ms ±0.52ms 1 +100.0%
TouchableOpacity multiple-10 6.60ms 6.00ms ±1.92ms 1 +0.0%
TouchableOpacity multiple-50 31.73ms 31.00ms ±5.18ms 1 +6.9%
TouchableOpacity multiple-100 49.20ms 50.00ms ±17.33ms 1 +0.0%

ScrollView

Scenario Mean Median StdDev Renders vs Baseline
ScrollView mount 0.30ms 0.00ms ±0.48ms 1 +0.0%
ScrollView unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
ScrollView rerender 0.50ms 0.50ms ±0.53ms 2 -50.0%
ScrollView children-20 4.13ms 4.00ms ±1.88ms 1 +0.0%
ScrollView children-100 19.07ms 19.00ms ±3.75ms 1 +18.8%
ScrollView horizontal 4.00ms 3.00ms ±1.94ms 1 -25.0%
ScrollView sticky-headers 3.10ms 3.50ms ±1.20ms 1 +16.7%
ScrollView scroll-indicators 0.80ms 1.00ms ±0.42ms 1 +0.0%
ScrollView nested 1.80ms 2.00ms ±0.63ms 1 +100.0%
ScrollView content-container-style 1.40ms 1.00ms ±1.65ms 1 +0.0%
ScrollView children-500 22.40ms 22.00ms ±3.96ms 1 +15.8%

TouchableHighlight

Scenario Mean Median StdDev Renders vs Baseline
TouchableHighlight mount 0.60ms 1.00ms ±0.52ms 1 +100.0%
TouchableHighlight unmount 0.10ms 0.00ms ±0.32ms 0 +0.0%
TouchableHighlight rerender 0.60ms 1.00ms ±0.52ms 2 +0.0%
TouchableHighlight custom-underlay-color 0.70ms 1.00ms ±0.48ms 1 +Infinity%
TouchableHighlight custom-active-opacity 0.50ms 0.50ms ±0.53ms 1 +Infinity%
TouchableHighlight disabled 0.30ms 0.00ms ±0.48ms 1 +0.0%
TouchableHighlight with-all-handlers 0.30ms 0.00ms ±0.48ms 1 +0.0%
TouchableHighlight with-hit-slop 0.50ms 0.50ms ±0.53ms 1 +Infinity%
TouchableHighlight nested-touchables 0.80ms 1.00ms ±0.63ms 1 +0.0%
TouchableHighlight multiple-touchables-10 3.10ms 3.00ms ±0.74ms 1 +0.0%
TouchableHighlight multiple-touchables-50 14.60ms 14.50ms ±2.41ms 1 +16.0%
TouchableHighlight multiple-touchables-100 29.40ms 29.00ms ±3.47ms 1 +28.9%

Pressable

Scenario Mean Median StdDev Renders vs Baseline
Pressable mount 0.40ms 0.00ms ±0.52ms 1 +0.0%
Pressable unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
Pressable rerender 0.50ms 0.50ms ±0.53ms 2 +0.0%
Pressable with-all-handlers 0.30ms 0.00ms ±0.48ms 1 +0.0%
Pressable with-style-function 0.40ms 0.00ms ±0.52ms 1 +0.0%
Pressable disabled 0.40ms 0.00ms ±0.52ms 1 +0.0%
Pressable with-hit-slop 0.30ms 0.00ms ±0.48ms 1 +0.0%
Pressable nested 0.70ms 1.00ms ±0.48ms 1 +0.0%
Pressable multiple-10 4.07ms 4.00ms ±0.96ms 1 +33.3%
Pressable multiple-50 18.00ms 18.00ms ±3.48ms 1 +28.6%
Pressable multiple-100 18.80ms 15.00ms ±11.09ms 1 +25.0%

Modal

Scenario Mean Median StdDev Renders vs Baseline
Modal mount 0.40ms 0.00ms ±0.52ms 1 +0.0%
Modal unmount 0.10ms 0.00ms ±0.32ms 0 +0.0%
Modal rerender 0.50ms 0.50ms ±0.53ms 2 +Infinity%
Modal slide-animation 0.50ms 0.50ms ±0.53ms 1 +Infinity%
Modal fade-animation 0.80ms 0.50ms ±1.23ms 1 +Infinity%
Modal transparent 0.30ms 0.00ms ±0.48ms 1 +0.0%
Modal with-callbacks 0.20ms 0.00ms ±0.42ms 1 +0.0%
Modal rich-content 1.90ms 2.00ms ±1.20ms 1 +0.0%
Modal with-accessibility 0.30ms 0.00ms ±0.48ms 1 +0.0%

Image

Scenario Mean Median StdDev Renders vs Baseline
Image mount 0.20ms 0.00ms ±0.42ms 1 +0.0%
Image unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
Image rerender 0.10ms 0.00ms ±0.32ms 2 +0.0%
Image with-resize-mode 0.10ms 0.00ms ±0.32ms 1 +0.0%
Image with-border-radius 0.20ms 0.00ms ±0.42ms 1 +0.0%
Image with-tint-color 0.10ms 0.00ms ±0.32ms 1 +0.0%
Image with-blur-radius 0.20ms 0.00ms ±0.42ms 1 +0.0%
Image with-accessibility 0.20ms 0.00ms ±0.42ms 1 +0.0%
Image multiple-10 1.07ms 1.00ms ±0.26ms 1 +0.0%
Image multiple-50 4.27ms 4.00ms ±1.33ms 1 +33.3%
Image multiple-100 10.40ms 10.00ms ±2.67ms 1 +25.0%

ActivityIndicator

Scenario Mean Median StdDev Renders vs Baseline
ActivityIndicator mount 0.10ms 0.00ms ±0.32ms 1 +0.0%
ActivityIndicator unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
ActivityIndicator rerender 0.30ms 0.00ms ±0.48ms 2 +0.0%
ActivityIndicator size-large 0.00ms 0.00ms ±0.00ms 1 +0.0%
ActivityIndicator size-small 0.20ms 0.00ms ±0.42ms 1 +0.0%
ActivityIndicator with-color 0.10ms 0.00ms ±0.32ms 1 +0.0%
ActivityIndicator not-animating 0.00ms 0.00ms ±0.00ms 1 +0.0%
ActivityIndicator with-accessibility 0.10ms 0.00ms ±0.32ms 1 +0.0%
ActivityIndicator multiple-10 1.27ms 1.00ms ±0.46ms 1 +0.0%
ActivityIndicator multiple-50 4.40ms 4.00ms ±1.55ms 1 +0.0%
ActivityIndicator multiple-100 8.73ms 8.00ms ±2.31ms 1 +14.3%

Switch

Scenario Mean Median StdDev Renders vs Baseline
Switch mount 0.30ms 0.00ms ±0.48ms 1 +0.0%
Switch unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
Switch rerender 0.10ms 0.00ms ±0.32ms 2 -100.0%
Switch value-true 0.40ms 0.00ms ±0.52ms 1 +0.0%
Switch disabled 0.30ms 0.00ms ±0.48ms 1 +0.0%
Switch custom-colors 0.30ms 0.00ms ±0.48ms 1 +0.0%
Switch on-value-change 0.20ms 0.00ms ±0.42ms 1 +0.0%
Switch with-accessibility 0.20ms 0.00ms ±0.42ms 1 +0.0%
Switch multiple-10 1.73ms 2.00ms ±0.46ms 1 +0.0%
Switch multiple-50 10.60ms 10.00ms ±2.64ms 1 +11.1%
Switch multiple-100 20.20ms 21.00ms ±3.73ms 1 +31.3%

Button

Scenario Mean Median StdDev Renders vs Baseline
Button mount 0.70ms 1.00ms ±0.48ms 1 +0.0%
Button unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
Button rerender 1.20ms 1.00ms ±1.14ms 2 +0.0%
Button disabled 0.60ms 1.00ms ±0.52ms 1 +0.0%
Button with-color 0.50ms 0.50ms ±0.53ms 1 +0.0%
Button with-accessibility 0.60ms 1.00ms ±0.52ms 1 +0.0%
Button multiple-10 8.33ms 9.00ms ±2.32ms 1 +50.0%
Button multiple-50 25.87ms 28.00ms ±10.74ms 1 +3.7%
Button multiple-100 24.13ms 19.00ms ±12.63ms 1 +0.0%

TextInput

Scenario Mean Median StdDev Renders vs Baseline
TextInput mount 0.30ms 0.00ms ±0.48ms 1 +0.0%
TextInput unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
TextInput rerender 0.30ms 0.00ms ±0.48ms 2 +0.0%
TextInput multiline 0.10ms 0.00ms ±0.32ms 1 +0.0%
TextInput with-value 0.10ms 0.00ms ±0.32ms 1 +0.0%
TextInput styled 0.20ms 0.00ms ±0.42ms 1 +0.0%
TextInput multiple-100 8.80ms 8.00ms ±2.37ms 1 +14.3%

View

Scenario Mean Median StdDev Renders vs Baseline
View mount 0.30ms 0.00ms ±0.48ms 1 +0.0%
View unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
View rerender 0.30ms 0.00ms ±0.48ms 2 +0.0%
View nested-50 4.07ms 4.00ms ±1.62ms 1 +33.3%
View nested-100 9.47ms 9.00ms ±2.29ms 1 +28.6%
View shadow 0.20ms 0.00ms ±0.42ms 1 +0.0%
View border-radius 0.20ms 0.00ms ±0.42ms 1 +0.0%
View nested-500 19.93ms 12.00ms ±15.25ms 1 +20.0%

Text

Scenario Mean Median StdDev Renders vs Baseline
Text mount 0.20ms 0.00ms ±0.42ms 1 +0.0%
Text unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
Text rerender 0.20ms 0.00ms ±0.42ms 2 +0.0%
Text long-1000 0.20ms 0.00ms ±0.42ms 1 +0.0%
Text nested 0.20ms 0.00ms ±0.42ms 1 +0.0%
Text styled 0.30ms 0.00ms ±0.48ms 1 +0.0%
Text multiple-100 9.67ms 9.00ms ±2.89ms 1 +28.6%

SectionList.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
SectionList native mount 5.49ms 5.31ms ±0.77ms 1 -18.3%

FlatList.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
FlatList native mount 5.19ms 4.94ms ±0.73ms 1 -46.5%

TouchableHighlight.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
TouchableHighlight native mount 1.52ms 1.48ms ±0.23ms 1 -29.3%

TouchableOpacity.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
TouchableOpacity native mount 1.77ms 1.63ms ±0.29ms 1 -48.1%

Pressable.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Pressable native mount 1.60ms 1.58ms ±0.17ms 1 -37.0%

ScrollView.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
ScrollView native mount 3.82ms 3.94ms ±0.49ms 1 -2.8%

ActivityIndicator.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
ActivityIndicator native mount 1.34ms 1.32ms ±0.09ms 1 -46.7%

TextInput.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
TextInput native mount 2.17ms 2.08ms ±0.22ms 1 -49.0%

Switch.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Switch native mount 1.44ms 1.41ms ±0.21ms 1 -18.8%

Button.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Button native mount 1.99ms 1.86ms ±0.28ms 1 -28.4%

Modal.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Modal native mount 1.14ms 1.08ms ±0.21ms 1 -11.4%

Image.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Image native mount 1.95ms 1.81ms ±0.33ms 1 -19.7%

View.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
View native mount 1.14ms 1.12ms ±0.16ms 1 -21.3%

Text.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Text native mount 1.59ms 1.43ms ±0.52ms 1 -17.6%

@dependabot @vmoroz
Bump @xmldom/xmldom from 0.7.13 to 0.8.13
58699e2 
Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.7.13 to 0.8.13.
- [Release notes](https://github.com/xmldom/xmldom/releases)
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md)
- [Commits](xmldom/xmldom@0.7.13...0.8.13)

---
updated-dependencies:
- dependency-name: "@xmldom/xmldom"
  dependency-version: 0.8.13
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@vmoroz vmoroz force-pushed the dependabot/npm_and_yarn/xmldom/xmldom-0.8.13 branch from dd1eb0c to 58699e2 Compare April 23, 2026 21:59
@vmoroz vmoroz enabled auto-merge (squash) April 23, 2026 21:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vmoroz vmoroz vmoroz approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vmoroz