webdav - npm Package Compare versions

Comparing version 5.1.0 to 5.2.0

CHANGELOG.md

 # WebDAV-Client changelog
 
+## v5.2.0
+_2023-06-18_
+
+ * [#344](https://github.com/perry-mitchell/webdav-client/pull/344) Upgrade `fast-xml-parser` to new major (v4)
+ * **Bugfix**:
+   * [#336](https://github.com/perry-mitchell/webdav-client/issues/336) `fast-xml-parser` vulnerability
+
 ## v5.1.0
@@ -4,0 +11,0 @@ _2023-05-29_

dist/node/tools/dav.js

 import path from "path-posix";
-import xmlParser from "fast-xml-parser";
+import { XMLParser } from "fast-xml-parser";
 import nestedProp from "nested-property";
@@ -47,13 +47,18 @@ import { decodeHTMLEntities } from "./encode.js";
 }
+function getParser() {
+    return new XMLParser({
+        removeNSPrefix: true,
+        numberParseOptions: {
+            hex: true,
+            leadingZeros: false
+        }
+        // // We don't use the processors here as decoding is done manually
+        // // later on - decoding early would break some path checks.
+        // attributeValueProcessor: val => decodeHTMLEntities(decodeURIComponent(val)),
+        // tagValueProcessor: val => decodeHTMLEntities(decodeURIComponent(val))
+    });
+}
 export function parseXML(xml) {
     return new Promise(resolve => {
-        const result = xmlParser.parse(xml, {
-            arrayMode: false,
-            ignoreNameSpace: true,
-            parseTrueNumberOnly: true
-            // // We don't use the processors here as decoding is done manually
-            // // later on - decoding early would break some path checks.
-            // attrValueProcessor: val => decodeHTMLEntities(decodeURIComponent(val)),
-            // tagValueProcessor: val => decodeHTMLEntities(decodeURIComponent(val))
-        });
+        const result = getParser().parse(xml);
         resolve(normaliseResult(result));
@@ -60,0 +65,0 @@ });

dist/node/tools/xml.js

@@ -1,4 +0,4 @@
-import xmlParser, { j2xParser as XMLParser } from "fast-xml-parser";
+import { XMLParser, XMLBuilder } from "fast-xml-parser";
 export function generateLockXML(ownerHREF) {
-    return getParser().parse(namespace({
+    return getBuilder().build(namespace({
         lockinfo: {
@@ -18,10 +18,17 @@ "@_xmlns:d": "DAV:",
 }
-function getParser() {
-    return new XMLParser({
+function getBuilder() {
+    return new XMLBuilder({
         attributeNamePrefix: "@_",
         format: true,
         ignoreAttributes: false,
-        supressEmptyNode: true
+        suppressEmptyNode: true
     });
 }
+function getParser() {
+    return new XMLParser({
+        removeNSPrefix: true,
+        parseAttributeValue: true,
+        parseTagValue: true
+    });
+}
 function namespace(obj, ns) {
@@ -45,8 +52,3 @@ const copy = { ...obj };
 export function parseGenericResponse(xml) {
-    return xmlParser.parse(xml, {
-        arrayMode: false,
-        ignoreNameSpace: true,
-        parseAttributeValue: true,
-        parseNodeValue: true
-    });
+    return getParser().parse(xml);
 }

package.json

 {
   "name": "webdav",
-  "version": "5.1.0",
+  "version": "5.2.0",
   "description": "WebDAV client for NodeJS",
@@ -68,3 +68,3 @@ "exports": {
     "byte-length": "^1.0.2",
-    "fast-xml-parser": "^3.19.0",
+    "fast-xml-parser": "^4.2.4",
     "he": "^1.2.0",
@@ -71,0 +71,0 @@ "hot-patcher": "^2.0.0",

README.md

@@ -5,3 +5,3 @@ ![WebDAV](https://raw.githubusercontent.com/perry-mitchell/webdav-client/master/webdav.jpg)
 
-![build status](https://github.com/perry-mitchell/webdav-client/actions/workflows/test.yml/badge.svg) [![npm version](https://badge.fury.io/js/webdav.svg)](https://www.npmjs.com/package/webdav) [![monthly downloads](https://img.shields.io/npm/dm/webdav.svg)](https://www.npmjs.com/package/webdav) [![total downloads](https://img.shields.io/npm/dt/webdav.svg?label=total%20downloads)](https://www.npmjs.com/package/webdav)
+![build status](https://github.com/perry-mitchell/webdav-client/actions/workflows/test.yml/badge.svg) [![npm version](https://badge.fury.io/js/webdav.svg)](https://www.npmjs.com/package/webdav) [![monthly downloads](https://img.shields.io/npm/dm/webdav.svg)](https://www.npmjs.com/package/webdav) [![total downloads](https://img.shields.io/npm/dt/webdav.svg?label=total%20downloads)](https://www.npmjs.com/package/webdav) ![Dependents (via libraries.io)](https://img.shields.io/librariesio/dependents/npm/webdav)
 
@@ -62,3 +62,3 @@ ## About
 
-// will both work fine in supported bundlers
+// both work fine in supported bundlers
 ```
@@ -65,0 +65,0 @@

No alert changes

Improved metrics

Total package byte prevSize

220065

increased by4.72%

Lines of code

1674

increased by0.42%

Dependency changes

• + Addedfast-xml-parser@4.5.3(transitive)

• - Removedfast-xml-parser@3.21.1(transitive)

• Updatedfast-xml-parser@^4.2.4