Sourced from sitemap's releases.

9.0.0

This major release modernizes the package with ESM-first architecture, drops support for Node.js < 20, and includes comprehensive security and robustness improvements.

[BREAKING CHANGES]

Dropped Node.js < 20 Support

• Node.js >=20.19.5 now required (previously >=14.0.0)
• npm >=10.8.2 now required (previously >=6.0.0)
• Dropped support for Node.js 14, 16, and 18

ESM Conversion with Dual Package Support

• Package now uses "type": "module" in package.json

• Built as dual ESM/CJS package with conditional exports

• Import paths in ESM require .js extensions (TypeScript will add these automatically)

• Both ESM and CommonJS imports continue to work:

  // ESM (new default)
  import { SitemapStream } from 'sitemap'
  // CommonJS (still supported)
  const { SitemapStream } = require('sitemap')
  

• CLI remains ESM-only at dist/esm/cli.js

Build Output Changes

• ESM output: dist/esm/ (was dist/)
• CJS output: dist/cjs/ (new)
• TypeScript definitions: dist/esm/index.d.ts (was dist/index.d.ts)

Node.js Modernization

• All built-in Node.js modules now use node: protocol imports (node:stream, node:fs, etc.)
• Uses native promise-based pipeline from node:stream/promises (instead of promisify(pipeline))
• TypeScript target updated to ES2023 (from ES2022)

New Exports

The following validation functions and constants are now part of the public API:

Validation Functions (from lib/validation.js):

• validateURL(), validatePath(), validateLimit(), validatePublicBasePath(), validateXSLUrl()
• Type guards: isPriceType(), isResolution(), isValidChangeFreq(), isValidYesNo(), isAllowDeny()
• validators - object containing regex validators for all sitemap fields

... (truncated)

Sourced from sitemap's changelog.

9.0.0 - 2025-11-01

This major release modernizes the package with ESM-first architecture, drops support for Node.js < 20, and includes comprehensive security and robustness improvements.

[BREAKING CHANGES]

Dropped Node.js < 20 Support

• Node.js >=20.19.5 now required (previously >=14.0.0)
• npm >=10.8.2 now required (previously >=6.0.0)
• Dropped support for Node.js 14, 16, and 18

ESM Conversion with Dual Package Support

• Package now uses "type": "module" in package.json

• Built as dual ESM/CJS package with conditional exports

• Import paths in ESM require .js extensions (TypeScript will add these automatically)

• Both ESM and CommonJS imports continue to work:

  // ESM (new default)
  import { SitemapStream } from 'sitemap'
  // CommonJS (still supported)
  const { SitemapStream } = require('sitemap')
  

• CLI remains ESM-only at dist/esm/cli.js

Build Output Changes

• ESM output: dist/esm/ (was dist/)
• CJS output: dist/cjs/ (new)
• TypeScript definitions: dist/esm/index.d.ts (was dist/index.d.ts)

Node.js Modernization

• All built-in Node.js modules now use node: protocol imports (node:stream, node:fs, etc.)
• Uses native promise-based pipeline from node:stream/promises (instead of promisify(pipeline))
• TypeScript target updated to ES2023 (from ES2022)

New Exports

The following validation functions and constants are now part of the public API:

Validation Functions (from lib/validation.js):

• validateURL(), validatePath(), validateLimit(), validatePublicBasePath(), validateXSLUrl()
• Type guards: isPriceType(), isResolution(), isValidChangeFreq(), isValidYesNo(), isAllowDeny()
• validators - object containing regex validators for all sitemap fields

... (truncated)

• a45eab9 release 9.0.0
• 7538ef3 Merge pull request #466 from ekalinin/bump-deps
• 833df66 bump deps
• 218a31d Merge pull request #465 from ekalinin/backport/8.0.2-xsi-schemaLocation-fix
• d8c4ea3 fix #464: backport xsi:schemaLocation support from 8.0.2 to master
• f5b352a Merge pull request #463 from ekalinin/changelog-9.0.0
• 60d4434 docs: add comprehensive 9.0.0 changelog with upgrade guide
• ba7cd65 Merge pull request #462 from ekalinin/changelog-update
• 7a713b2 forward-port changelog
• 4e390f6 Merge pull request #461 from ekalinin/security/sitemap-index-validation
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)