chore(deps-dev): bump sitemap from 8.0.0 to 8.0.1

[dependabot]

Bumps sitemap from 8.0.0 to 8.0.1.

Release notes

Sourced from sitemap's releases.

8.0.1 - Security Patch Release

🔒 Security Patch Release

This release backports comprehensive security fixes from 9.0.0 to the 8.0.x branch. Upgrading is strongly recommended for all 8.0.0 users.

✅ Backward Compatibility

• 100% API compatible with 8.0.0
• No breaking changes
• All existing valid inputs continue to work
• Only rejects invalid/malicious inputs

🛡️ Security Fixes

High Priority:

• XML Injection Prevention (XSS protection via enhanced escaping)
• Protocol Injection Prevention (blocks javascript:, data:, file: URLs)
• Path Traversal Prevention (blocks .. sequences)
• Command Injection Fix (xmllint security hardening)

Medium Priority:

• DoS Protection (resource limits, memory exhaustion prevention)
• Input Validation (comprehensive validation for all user inputs)
• XSS Prevention (XSL URL validation)

Infrastructure:

• Added centralized security limits and validation framework
• Enhanced error handling with comprehensive error reporting

📦 Dependencies Updated

• sax: ^1.2.4 → ^1.4.1

📊 Testing

• ✅ All 94 tests passing
• ✅ TypeScript compilation successful
• ✅ ESLint clean

📝 Installation

npm install sitemap@8.0.1

See CHANGELOG.md for complete details.

---

🤖 Generated with Claude Code

Changelog

Sourced from sitemap's changelog.

8.0.1 - Security Patch Release

SECURITY FIXES - This release backports comprehensive security patches from 9.0.0 to 8.0.x

Security Improvements

• XML Injection Prevention: Enhanced XML entity escaping, added > character escaping, attribute name validation
• Parser Security: Added resource limits (max 50K URLs, 1K images, 100 videos per sitemap), string length limits, URL validation (http/https only, max 2048 chars)
• Protocol Injection Prevention: Block dangerous protocols (javascript:, data:, file:, ftp:) in sitemap index parser
• DoS Protection: Memory exhaustion protection, URL length validation, date format validation (ISO 8601)
• Path Traversal Prevention: Block .. sequences in file paths
• Command Injection Fix: xmllint now uses stdin exclusively instead of file paths
• Input Validation: Comprehensive validation for all user inputs - numbers (reject NaN/Infinity), dates (check Invalid Date), URLs, paths
• XSS Prevention: XSL URL validation to prevent script injection
• Namespace Security: Custom namespace validation (max 20, max 512 chars each)

Infrastructure

• Added lib/constants.ts - Centralized security limits and constants
• Added lib/validation.ts - Comprehensive validation functions
• Added new security-related error classes

Backward Compatibility

• ✅ 100% API compatible with 8.0.0
• Added XMLToSitemapItemStream.error getter for backward compatibility (returns errors[0])
• All existing valid inputs continue to work
• Only rejects invalid/malicious inputs
• Default ErrorLevel.WARN behavior unchanged

Dependencies Updated

• sax: ^1.2.4 → ^1.4.1 (security updates)

Files Changed

17 files changed: 2,122 additions, 245 deletions

Testing

• All 94 existing tests passing
• No breaking changes to public API

Commits

• c3ead34 update package lock
• bf08e67 security: comprehensive security patches for 8.0.1
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 🤖 Continuous Integration

Wonderful, this rule succeeded.

• all of:
  • check-success = build
  • check-success = lint
  • check-success = test
  • any of:
    • check-success = test-broken-links
    • label = ignore-broken-links
  • any of:
    • check-success=Cloudflare Pages
    • -head-repo-full-name~=^Mergifyio/

🟢 👀 Review Requirements

Wonderful, this rule succeeded.

• any of:
  • author = dependabot[bot]
  • #approved-reviews-by >= 2
  • author = mergify-ci-bot

🟢 Changelog requirements

Wonderful, this rule succeeded.

• any of:
  • -title ~= ^feat
  • label = need changelog
  • label = skip changelog

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?:

🟢 🔎 Reviews

Wonderful, this rule succeeded.

• #changes-requested-reviews-by = 0
• #review-requested = 0
• #review-threads-unresolved = 0

🟢 📕 PR description

Wonderful, this rule succeeded.

• body ~= .{48,}