·
73 commits
to master
since this release
π Security Patch Release
This release backports comprehensive security fixes from 9.0.0 to the 8.0.x branch. Upgrading is strongly recommended for all 8.0.0 users.
β Backward Compatibility
- 100% API compatible with 8.0.0
- No breaking changes
- All existing valid inputs continue to work
- Only rejects invalid/malicious inputs
π‘οΈ Security Fixes
High Priority:
- XML Injection Prevention (XSS protection via enhanced escaping)
- Protocol Injection Prevention (blocks javascript:, data:, file: URLs)
- Path Traversal Prevention (blocks .. sequences)
- Command Injection Fix (xmllint security hardening)
Medium Priority:
- DoS Protection (resource limits, memory exhaustion prevention)
- Input Validation (comprehensive validation for all user inputs)
- XSS Prevention (XSL URL validation)
Infrastructure:
- Added centralized security limits and validation framework
- Enhanced error handling with comprehensive error reporting
π¦ Dependencies Updated
sax: ^1.2.4 β ^1.4.1
π Testing
- β All 94 tests passing
- β TypeScript compilation successful
- β ESLint clean
π Installation
npm install [email protected]See CHANGELOG.md for complete details.
π€ Generated with Claude Code