chore(deps): update dependency @expo/plist>@xmldom/xmldom to v0.9.10

[playerdata-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
@expo/plist>@xmldom/xmldom	0.8.13 → 0.9.10

---

Release Notes

xmldom/xmldom (@​expo/plist>@​xmldom/xmldom)

v0.9.10

Compare Source

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you,
@​Jvr2022,
@​praveen-kv,
@​TharVid,
@​decsecre583,
@​tlsbollei,
@​KarimTantawey,
for your contributions

v0.9.9

Compare Source

Added

• implement ParentNode.children getter #960 / #410

Fixed

• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp
• correctly traverse ancestor chain in Node.contains #931

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

• updated dependencies

Thank you,
@​stevenobiajulu,
@​yoshi389111,
@​thesmartshadow,
for your contributions

v0.9.8

Compare Source

Fixed

• fix: replace \u2029 as part of normalizeLineEndings #839 / #838
• perf: speed up line detection #847 / #838

Chore

• updated dependencies
• drop jazzer and rxjs devDependencies #845

Thank you,
@​kboshold,
@​Ponynjaa,
for your contributions.

v0.9.7

Compare Source

Added

• Implementation of hasAttributes #804

Fixed

• locator is now true even when other options are being used for the DOMParser #802 / #803
• allow case-insensitive DOCTYPE in HTML #817 / #819

Performance

• simplify DOM.compareDocumentPosition #805

Chore

• updated devDependencies

Thank you,
@​zorkow,
@​Ponynjaa,
@​WesselKroos,
for your contributions.

v0.9.6

Compare Source

Fixed

• lower error level for unicode replacement character #790 / #794 / #797

Chore

• updated devDependencies
• migrate renovate config #792

Thank you, @​eglitise, for your contributions.

v0.9.5

Compare Source

Fixed

• fix: re-index childNodes on insertBefore #763 / #766

Thank you,
@​mureinik,
for your contributions.

v0.9.4

Compare Source

Fixed

• restore performance for large amount of child nodes #748 / #760
• types: correct error handler level to warning (#​759) #754 / #759

Docs

• test: verify BOM handling #758

Thank you,
@​luffynando,
@​mattiasw,
@​JoinerDev,
for your contributions.

v0.9.3

Compare Source

Fixed

• restore more Node and ProcessingInstruction types #725 / #726
• getElements* methods return LiveNodeList<Element> #731 / #734
• Add more missing Node props #728, triggered by unclosed #724

Docs

• Update supported runtimes in readme (NodeJS >= 14.6 and other ES5 compatible runtimes)

Chore

• updates devDependencies

Thank you,
@​Ponynjaa,
@​ayZagen,
@​sserdyuk,
@​wydengyre,
@​mykola-mokhnach,
@​benkroeger,
for your contributions.

v0.9.2

Compare Source

Feature

• add Element.getElementsByClassName #722

Fixed

• add missing types for Document.documentElement and Element.tagName #721 #720

Thank you, @​censujiang, @​Mathias-S, for your contributions

v0.9.1

Compare Source

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you,
@​Jvr2022,
@​praveen-kv,
@​TharVid,
@​decsecre583,
@​tlsbollei,
@​KarimTantawey,
for your contributions

v0.9.0

Compare Source

• Discussion
• Summary on dev.to

Features

• feat: expose all DOM level 2 element prototypes #637 / #40
• feat: add iterator function to NodeList and NamedNodeMap #634 / #633

Fixed

• parse empty/whitspace only doctype internal subset #692
• avoid prototype clash in namespace prefix #554
• report fatalError when doctype is inside elements #550

Other

• test: add fuzz target and regression tests #556
• chore: improve .gitignore and provide .envrc.template #697
• chore: Apply security best practices #546
• ci: check test coverage in PRs #524
• docs: add missing commas to readme #566
• docs: click to copy install command in readme #644
• docs: enhance jsdoc comments #511

Thank you, @​kboshold, @​edi9999, @​apupier,
@​shunkica, @​homer0, @​jhauga,
@​UdayKharatmol, for your contributions

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[playerdata-bot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[ball-hayden]

Closing — this upgrade breaks expo prebuild for iOS.

@xmldom/xmldom@0.9.x now requires a valid mimeType argument to DOMParser.parseFromString, but @expo/plist (parse.ts:72) still calls it without one:

TypeError: [ios.entitlements]: withIosEntitlementsBaseMod:
  DOMParser.parseFromString: the provided mimeType "undefined" is not valid.

The existing @expo/plist>@xmldom/xmldom override is pinned to 0.8.13 specifically to avoid 0.9.x. We can revisit once @expo/plist is updated upstream to pass a mimeType.

[playerdata-bot]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (>=0.8.13 <0.10.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.