Update dependency sitemap to v9

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
sitemap	^7.1.2 → ^9.0.0

---

Release Notes

ekalinin/sitemap.js (sitemap)

v9.0.1

Compare Source

• BB-01: Fix XML injection via unescaped xslUrl in stylesheet processing instruction — special characters (&, ", <, >) in the XSL URL are now escaped before being interpolated into the <?xml-stylesheet?> processing instruction
• BB-02: Enforce 50,000 URL hard limit in XMLToSitemapItemStream — the parser now stops emitting items and emits an error when the limit is exceeded, rather than merely logging a warning
• BB-03: Cap parser error array at 100 entries to prevent memory DoS — XMLToSitemapItemStream now tracks a separate errorCount and stops appending to the errors array beyond LIMITS.MAX_PARSER_ERRORS
• BB-04: Reject absolute destinationDir paths in simpleSitemapAndIndex to prevent arbitrary file writes — passing an absolute path (e.g. /tmp/sitemaps) now throws immediately with a descriptive error
• BB-05: parseSitemapIndex now destroys source and parser streams immediately when the maxEntries limit is exceeded, preventing unbounded memory consumption from large sitemap index files

v9.0.0

Compare Source

This major release modernizes the package with ESM-first architecture, drops support for Node.js < 20, and includes comprehensive security and robustness improvements.

[BREAKING CHANGES]

Dropped Node.js < 20 Support

• Node.js >=20.19.5 now required (previously >=14.0.0)
• npm >=10.8.2 now required (previously >=6.0.0)
• Dropped support for Node.js 14, 16, and 18

ESM Conversion with Dual Package Support

• Package now uses "type": "module" in package.json

• Built as dual ESM/CJS package with conditional exports

• Import paths in ESM require .js extensions (TypeScript will add these automatically)

• Both ESM and CommonJS imports continue to work:

  // ESM (new default)
  import { SitemapStream } from 'sitemap'
  
  // CommonJS (still supported)
  const { SitemapStream } = require('sitemap')

• CLI remains ESM-only at dist/esm/cli.js

Build Output Changes

• ESM output: dist/esm/ (was dist/)
• CJS output: dist/cjs/ (new)
• TypeScript definitions: dist/esm/index.d.ts (was dist/index.d.ts)

Node.js Modernization

• All built-in Node.js modules now use node: protocol imports (node:stream, node:fs, etc.)
• Uses native promise-based pipeline from node:stream/promises (instead of promisify(pipeline))
• TypeScript target updated to ES2023 (from ES2022)

New Exports

The following validation functions and constants are now part of the public API:

Validation Functions (from lib/validation.js):

• validateURL(), validatePath(), validateLimit(), validatePublicBasePath(), validateXSLUrl()
• Type guards: isPriceType(), isResolution(), isValidChangeFreq(), isValidYesNo(), isAllowDeny()
• validators - object containing regex validators for all sitemap fields

Constants (from lib/constants.js):

• LIMITS - security limits object (max URL length, max items per sitemap, video/news/image constraints, etc.)
• DEFAULT_SITEMAP_ITEM_LIMIT - default items per sitemap file (45,000)

New Type Export:

• SimpleSitemapAndIndexOptions interface now exported

Features

Comprehensive Security Validation

• Parser Security (#​461): Added resource limits and comprehensive validation to sitemap index parser and stream

  • Max 50K URLs per sitemap, 1K images, 100 videos per entry
  • String length limits on all fields
  • URL validation (http/https only, max 2048 chars)
  • Protocol injection prevention (blocks javascript:, data:, file:, ftp:)
  • Path traversal prevention (blocks .. sequences)

• Stream Validation (#​456, #​455, #​454): Added comprehensive validation to all stream classes

  • Enhanced XML entity escaping (including > character)
  • Attribute name validation
  • Date format validation (ISO 8601)
  • Input validation for numbers (reject NaN/Infinity), dates (check Invalid Date)
  • XSL URL validation to prevent script injection
  • Custom namespace validation (max 20 namespaces, max 512 chars each)

• XML Generation Security (#​457): Comprehensive validation and documentation in sitemap-xml

  • Safe XML attribute and element generation
  • Protection against XML injection attacks

Robustness Improvements

• Sitemap Item Stream (#​453): Improved robustness and type safety
• Sitemap Index Stream (#​449): Enhanced robustness and test coverage
• Sitemap Index Parser (#​448): Improved error handling and robustness
• Code Quality (#​458): Comprehensive security and code quality improvements across codebase

Fixes

• Fixed TS151002 warning and test race condition (#​455)
• Improved sitemap-item-stream robustness and type safety (#​453)
• Enhanced sitemap-index-stream error handling (#​449)
• Improved sitemap-index-parser error handling (#​448)
• Fixed coverage reporting (#​399, #​434)
• Fixed invalid XML regex for better performance (#​437, #​417)
• Improved normalizeURL performance (#​416)

Refactoring

• Architecture Reorganization (#​460): Consolidated constants and validation
  • Created lib/constants.ts - single source of truth for all shared constants
  • Created lib/validation.ts - centralized all validation logic and type guards
  • Eliminated duplicate constants and validation code across files
  • Prevents inconsistencies where different files used different values

Infrastructure

Build System

• Dual ESM/CJS build with separate TypeScript configurations
  • tsconfig.json - ESM build (NodeNext module resolution)
  • tsconfig.cjs.json - CJS build (CommonJS module)
• Build outputs package.json with "type": "commonjs" to dist/cjs/
• Test infrastructure converted to ESM
• Updated Jest configuration for ESM support

Testing

• Converted to ts-jest for better TypeScript support (#​434)
• All 172+ tests passing with 91%+ code coverage
• Enhanced security-focused test coverage
• Performance tests converted to .mjs format

Dependencies

• Updated sax from ^1.2.4 to ^1.4.1
• Updated @types/node from ^17.0.5 to ^24.7.2
• Removed unused dependencies (#​459)
• Updated all dev dependencies to latest versions
• Replaced babel-based test setup with ts-jest

Developer Experience

• Updated examples to ESM syntax in README (#​452)
• Updated API documentation for accuracy and ESM syntax (#​452)
• Added comprehensive CLAUDE.md with architecture documentation
• Improved ESLint and Prettier integration
• Updated git hooks with Husky 9.x

Upgrade Guide for 9.0.0

1. Update Node.js Version

Ensure you are running Node.js >=20.19.5 and npm >=10.8.2:

node --version  # Should be 20.19.5 or higher
npm --version   # Should be 10.8.2 or higher

2. Update Package

npm install sitemap@9.0.0

3. Import Syntax (No Changes Required for Most Users)

Both ESM and CommonJS imports continue to work:

// ESM - works the same as before
import { SitemapStream, streamToPromise } from 'sitemap'

// CommonJS - works the same as before
const { SitemapStream, streamToPromise } = require('sitemap')

Note: If you're importing from the package in an ESM context, the module resolution happens automatically. If you're directly importing library files (not recommended), you'll need .js extensions.

4. Existing Code Compatibility

• ✅ All existing valid data continues to work unchanged
• ✅ Public API is fully compatible - same classes, methods, and options
• ✅ Stream behavior unchanged - all streaming patterns continue to work
• ✅ Error handling unchanged - ErrorLevel.WARN default behavior maintained
• ⚠️ Invalid data may now be rejected due to enhanced security validation
  • URLs must be http/https protocol (no javascript:, data:, etc.)
  • String lengths enforced per sitemaps.org spec
  • Resource limits enforced (50K URLs, 1K images, 100 videos per entry)

5. TypeScript Users

• Update tsconfig.json if needed to support ES2023
• Type definitions are now at dist/esm/index.d.ts (automatically resolved by package.json exports)
• No changes needed to your TypeScript code

6. New Optional Features

You can now import validation utilities and constants if needed:

import { LIMITS, validateURL, validators } from 'sitemap'

// Check limits
console.log(LIMITS.MAX_URL_LENGTH) // 2048

// Validate URLs
const url = validateURL('https://example.com/page')

// Use validators
if (validators['video:rating'].test('4.5')) {
  // valid rating
}

v8.0.3: — Security Patch

Compare Source

8.0.3 — Security Patch

• BB-01: Fix XML injection via unescaped xslUrl in stylesheet processing instruction — special characters (&, ", <, >) in the XSL URL are now escaped before being interpolated into the <?xml-stylesheet?> processing instruction
• BB-02: Enforce 50,000 URL hard limit in XMLToSitemapItemStream — the parser now stops emitting items and emits an error when the limit is exceeded, rather than merely logging a warning
• BB-03: Cap parser error array at 100 entries to prevent memory DoS — XMLToSitemapItemStream now tracks a separate errorCount and stops appending to the errors array beyond LIMITS.MAX_PARSER_ERRORS
• BB-04: Reject absolute destinationDir paths in simpleSitemapAndIndex to prevent arbitrary file writes — passing an absolute path (e.g. /tmp/sitemaps) now throws immediately with a descriptive error
• BB-05: parseSitemapIndex now destroys source and parser streams immediately when the maxEntries limit is exceeded, preventing unbounded memory consumption from large sitemap index files
• Many thanks to @​maru1009 For the report

v8.0.2

Compare Source

Bug Fixes

• fix #​464: Support xsi:schemaLocation in custom namespaces - thanks @​dzakki
  • Extended custom namespace validation to accept namespace-qualified attributes (like xsi:schemaLocation) in addition to xmlns declarations
  • The validation regex now matches both xmlns:prefix="uri" and prefix:attribute="value" patterns
  • Enables proper W3C schema validation while maintaining security validation for malicious content
  • Added comprehensive tests including security regression tests

Example Usage

The following now works correctly (as documented in README):

const sms = new SitemapStream({
  xmlns: {
    custom: [
      'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"',
      'xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd"'
    ]
  }
});

Testing

• ✅ All existing tests passing
• ✅ 8 new tests added covering positive and security scenarios
• ✅ 100% backward compatible with 8.0.1

Files Changed

2 files changed: 144 insertions, 5 deletions

v8.0.1

Compare Source

SECURITY FIXES - This release backports comprehensive security patches from 9.0.0 to 8.0.x

Security Improvements

• XML Injection Prevention: Enhanced XML entity escaping, added > character escaping, attribute name validation
• Parser Security: Added resource limits (max 50K URLs, 1K images, 100 videos per sitemap), string length limits, URL validation (http/https only, max 2048 chars)
• Protocol Injection Prevention: Block dangerous protocols (javascript:, data:, file:, ftp:) in sitemap index parser
• DoS Protection: Memory exhaustion protection, URL length validation, date format validation (ISO 8601)
• Path Traversal Prevention: Block .. sequences in file paths
• Command Injection Fix: xmllint now uses stdin exclusively instead of file paths
• Input Validation: Comprehensive validation for all user inputs - numbers (reject NaN/Infinity), dates (check Invalid Date), URLs, paths
• XSS Prevention: XSL URL validation to prevent script injection
• Namespace Security: Custom namespace validation (max 20, max 512 chars each)

Infrastructure

• Added lib/constants.ts - Centralized security limits and constants
• Added lib/validation.ts - Comprehensive validation functions
• Added new security-related error classes

Backward Compatibility

• ✅ 100% API compatible with 8.0.0
• Added XMLToSitemapItemStream.error getter for backward compatibility (returns errors[0])
• All existing valid inputs continue to work
• Only rejects invalid/malicious inputs
• Default ErrorLevel.WARN behavior unchanged

Dependencies Updated

• sax: ^1.2.4 → ^1.4.1 (security updates)

Files Changed

17 files changed: 2,122 additions, 245 deletions

Testing

• All 94 existing tests passing
• No breaking changes to public API

v8.0.0

Compare Source

• fix #​423 via #​424 thanks @​huntharo - Propagate errors in SitemapAndIndexStream
• drop node 12 support

v7.1.3: — Security Patch

Compare Source

7.1.3 — Security Patch

• BB-01: Fix XML injection via unescaped xslUrl in stylesheet processing instruction (stylesheetInclude now escapes &, ", <, >)
• BB-02: Enforce 50,000 URL hard limit in XMLToSitemapItemStream — parser stops emitting items instead of only logging a warning
• BB-04: Reject absolute destinationDir paths in simpleSitemapAndIndex to prevent arbitrary file writes
• BB-05: parseSitemapIndex now accepts a maxEntries limit (default 50,000) and destroys source/parser streams immediately on breach
• Many thanks to @​maru1009 For the report

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.