Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release notes for 3.0.1 to 4.0.1 #266

Closed
donhcd opened this issue Dec 9, 2022 · 3 comments
Closed

Release notes for 3.0.1 to 4.0.1 #266

donhcd opened this issue Dec 9, 2022 · 3 comments

Comments

@donhcd
Copy link
Contributor

donhcd commented Dec 9, 2022

I'd like to upgrade my version but I'm a bit nervous - why was the major version bumped?
@mcab
Copy link
Member

mcab commented Dec 9, 2022

The explicit version bumps houses the messages. I'll try to be clearer on the merge.

3.0.1: fca725b

Bumping up xmlbuilder to xmlbuilder2 revealed some differences in XML building.

This fixes create_metadata() to output correctly given these new changes.

3.1.0: c197310

4.0.0: cfb5ce4

Updates some dependencies.

Closes [...].

From #261 (comment):

  • xml-encryption was bumped up to ^2.0.0, which drops support for Node 8, and uses native crypto functions. Any user still on Node 8 will be unable to use 4.x and onwards.
  • @xmldom/xmldom was bumped up to ^0.8.3. This has a security fix for prototype pollution and other cases, but more critically, changes how normalization and serialization of XML documents occur. This can potentially affect the parsing of XML documents, but shouldn't affect the majority of cases.
  • xml-crypto was bumped up to ^3.0.0, which uses @xmldom/xmldom's 0.8.3. If you don't find issues with xmldom parsing, you should be fine.

4.0.1: fe30eee

Addresses GHSA-crh6-fp67-6883 [1] by updating @xmldom/xmldom explicitly,
and other dependencies that use such.

[1] GHSA-crh6-fp67-6883

@mcab mcab closed this as completed Dec 9, 2022
@mcab
Copy link
Member

mcab commented Dec 9, 2022

In short, a lot of dependencies around normalization around XML parsing were updated, especially for critical dependencies that handle decryption and parsing. Major bumps might be overkill, but it's possible people are still using this on Node <10, and wanted to not break things for those users.

@donhcd
Copy link
Contributor Author

donhcd commented Dec 9, 2022

Thanks a ton for the summary @mcab! Good to know where they are now :)

@mcab mcab changed the title are there any release notes? what happened between 3.0.1->4.0.1? Release notes for 3.0.1 to 4.0.1 Dec 9, 2022
@mcab mcab pinned this issue Dec 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@donhcd @mcab