nuxtlog icon indicating copy to clipboard operation
nuxtlog copied to clipboard

Published 20 hours ago verified publisher icon HugoRCD

Update dependency sitemap to v9

Open renovate[bot] opened this issue 3 weeks ago • 2 comments

This PR contains the following updates:

Package Change Age Confidence
sitemap ^8.0.0 -> ^9.0.0 age confidence

Release Notes

ekalinin/sitemap.js (sitemap)

v9.0.0

Compare Source

This major release modernizes the package with ESM-first architecture, drops support for Node.js < 20, and includes comprehensive security and robustness improvements.

[BREAKING CHANGES]
Dropped Node.js < 20 Support
  • Node.js >=20.19.5 now required (previously >=14.0.0)
  • npm >=10.8.2 now required (previously >=6.0.0)
  • Dropped support for Node.js 14, 16, and 18
ESM Conversion with Dual Package Support

  • Package now uses "type": "module" in package.json

  • Built as dual ESM/CJS package with conditional exports

  • Import paths in ESM require .js extensions (TypeScript will add these automatically)

  • Both ESM and CommonJS imports continue to work:

    // ESM (new default)
import { SitemapStream } from 'sitemap'

// CommonJS (still supported)
const { SitemapStream } = require('sitemap')

  • CLI remains ESM-only at dist/esm/cli.js

Build Output Changes
  • ESM output: dist/esm/ (was dist/)
  • CJS output: dist/cjs/ (new)
  • TypeScript definitions: dist/esm/index.d.ts (was dist/index.d.ts)
Node.js Modernization
  • All built-in Node.js modules now use node: protocol imports (node:stream, node:fs, etc.)
  • Uses native promise-based pipeline from node:stream/promises (instead of promisify(pipeline))
  • TypeScript target updated to ES2023 (from ES2022)
New Exports

The following validation functions and constants are now part of the public API:

Validation Functions (from lib/validation.js):

  • validateURL(), validatePath(), validateLimit(), validatePublicBasePath(), validateXSLUrl()
  • Type guards: isPriceType(), isResolution(), isValidChangeFreq(), isValidYesNo(), isAllowDeny()
  • validators - object containing regex validators for all sitemap fields

Constants (from lib/constants.js):

  • LIMITS - security limits object (max URL length, max items per sitemap, video/news/image constraints, etc.)
  • DEFAULT_SITEMAP_ITEM_LIMIT - default items per sitemap file (45,000)

New Type Export:

  • SimpleSitemapAndIndexOptions interface now exported
Features
Comprehensive Security Validation

  • Parser Security (#​461): Added resource limits and comprehensive validation to sitemap index parser and stream

    • Max 50K URLs per sitemap, 1K images, 100 videos per entry
    • String length limits on all fields
    • URL validation (http/https only, max 2048 chars)
    • Protocol injection prevention (blocks javascript:, data:, file:, ftp:)
    • Path traversal prevention (blocks .. sequences)

  • Stream Validation (#​456, #​455, #​454): Added comprehensive validation to all stream classes

    • Enhanced XML entity escaping (including > character)
    • Attribute name validation
    • Date format validation (ISO 8601)
    • Input validation for numbers (reject NaN/Infinity), dates (check Invalid Date)
    • XSL URL validation to prevent script injection
    • Custom namespace validation (max 20 namespaces, max 512 chars each)

  • XML Generation Security (#​457): Comprehensive validation and documentation in sitemap-xml

    • Safe XML attribute and element generation
    • Protection against XML injection attacks
Robustness Improvements
  • Sitemap Item Stream (#​453): Improved robustness and type safety
  • Sitemap Index Stream (#​449): Enhanced robustness and test coverage
  • Sitemap Index Parser (#​448): Improved error handling and robustness
  • Code Quality (#​458): Comprehensive security and code quality improvements across codebase
Fixes
  • Fixed TS151002 warning and test race condition (#​455)
  • Improved sitemap-item-stream robustness and type safety (#​453)
  • Enhanced sitemap-index-stream error handling (#​449)
  • Improved sitemap-index-parser error handling (#​448)
  • Fixed coverage reporting (#​399, #​434)
  • Fixed invalid XML regex for better performance (#​437, #​417)
  • Improved normalizeURL performance (#​416)
Refactoring
  • Architecture Reorganization (#​460): Consolidated constants and validation
    • Created lib/constants.ts - single source of truth for all shared constants
    • Created lib/validation.ts - centralized all validation logic and type guards
    • Eliminated duplicate constants and validation code across files
    • Prevents inconsistencies where different files used different values
Infrastructure
Build System
  • Dual ESM/CJS build with separate TypeScript configurations
    • tsconfig.json - ESM build (NodeNext module resolution)
    • tsconfig.cjs.json - CJS build (CommonJS module)
  • Build outputs package.json with "type": "commonjs" to dist/cjs/
  • Test infrastructure converted to ESM
  • Updated Jest configuration for ESM support
Testing
  • Converted to ts-jest for better TypeScript support (#​434)
  • All 172+ tests passing with 91%+ code coverage
  • Enhanced security-focused test coverage
  • Performance tests converted to .mjs format
Dependencies
  • Updated sax from ^1.2.4 to ^1.4.1
  • Updated @types/node from ^17.0.5 to ^24.7.2
  • Removed unused dependencies (#​459)
  • Updated all dev dependencies to latest versions
  • Replaced babel-based test setup with ts-jest
Developer Experience
  • Updated examples to ESM syntax in README (#​452)
  • Updated API documentation for accuracy and ESM syntax (#​452)
  • Added comprehensive CLAUDE.md with architecture documentation
  • Improved ESLint and Prettier integration
  • Updated git hooks with Husky 9.x
Upgrade Guide for 9.0.0
1. Update Node.js Version

Ensure you are running Node.js >=20.19.5 and npm >=10.8.2:

node --version  # Should be 20.19.5 or higher
npm --version   # Should be 10.8.2 or higher
2. Update Package
npm install [email protected]
3. Import Syntax (No Changes Required for Most Users)

Both ESM and CommonJS imports continue to work:

// ESM - works the same as before
import { SitemapStream, streamToPromise } from 'sitemap'

// CommonJS - works the same as before
const { SitemapStream, streamToPromise } = require('sitemap')

Note: If you're importing from the package in an ESM context, the module resolution happens automatically. If you're directly importing library files (not recommended), you'll need .js extensions.

4. Existing Code Compatibility
  • All existing valid data continues to work unchanged
  • Public API is fully compatible - same classes, methods, and options
  • Stream behavior unchanged - all streaming patterns continue to work
  • Error handling unchanged - ErrorLevel.WARN default behavior maintained
  • ⚠️ Invalid data may now be rejected due to enhanced security validation
    • URLs must be http/https protocol (no javascript:, data:, etc.)
    • String lengths enforced per sitemaps.org spec
    • Resource limits enforced (50K URLs, 1K images, 100 videos per entry)
5. TypeScript Users
  • Update tsconfig.json if needed to support ES2023
  • Type definitions are now at dist/esm/index.d.ts (automatically resolved by package.json exports)
  • No changes needed to your TypeScript code
6. New Optional Features

You can now import validation utilities and constants if needed:

import { LIMITS, validateURL, validators } from 'sitemap'

// Check limits
console.log(LIMITS.MAX_URL_LENGTH) // 2048

// Validate URLs
const url = validateURL('https://example.com/page')

// Use validators
if (validators['video:rating'].test('4.5')) {
  // valid rating
}

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Nov 08 '25 19:11 renovate[bot]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: bun.lockb
Command failed: bun install --ignore-scripts
Resolving dependencies
Resolved, downloaded and extracted [6]
warn: incorrect peer dependency "[email protected]"

warn: incorrect peer dependency "[email protected]"

warn: incorrect peer dependency "[email protected]"

warn: incorrect peer dependency "[email protected]"

warn: incorrect peer dependency "[email protected]"

warn: incorrect peer dependency "[email protected]"

warn: incorrect peer dependency "[email protected]"
error: GET https://registry.npmjs.org/blanked/-/blanked-0.0.18.tgz - 404

renovate[bot] avatar Nov 08 '25 19:11 renovate[bot]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
nuxtlog Error Error Nov 8, 2025 7:42pm

vercel[bot] avatar Nov 08 '25 19:11 vercel[bot]