Sourced from sitemap's releases.

9.0.1 — Security Patch

Security Fixes

• BB-01: Fix XML injection via unescaped xslUrl in stylesheet processing instruction
• BB-02: Enforce 50,000 URL hard limit in XMLToSitemapItemStream parser
• BB-03: Cap parser error array at 100 entries to prevent memory DoS
• BB-04: Reject absolute destinationDir paths in simpleSitemapAndIndex to prevent arbitrary file writes
• BB-05: parseSitemapIndex now destroys source and parser streams immediately when maxEntries limit is exceeded
• Many thanks to @​maru1009 For the report

9.0.0

This major release modernizes the package with ESM-first architecture, drops support for Node.js < 20, and includes comprehensive security and robustness improvements.

[BREAKING CHANGES]

Dropped Node.js < 20 Support

• Node.js >=20.19.5 now required (previously >=14.0.0)
• npm >=10.8.2 now required (previously >=6.0.0)
• Dropped support for Node.js 14, 16, and 18

ESM Conversion with Dual Package Support

• Package now uses "type": "module" in package.json

• Built as dual ESM/CJS package with conditional exports

• Import paths in ESM require .js extensions (TypeScript will add these automatically)

• Both ESM and CommonJS imports continue to work:

  // ESM (new default)
  import { SitemapStream } from 'sitemap'
  // CommonJS (still supported)
  const { SitemapStream } = require('sitemap')
  

• CLI remains ESM-only at dist/esm/cli.js

Build Output Changes

• ESM output: dist/esm/ (was dist/)
• CJS output: dist/cjs/ (new)
• TypeScript definitions: dist/esm/index.d.ts (was dist/index.d.ts)

Node.js Modernization

• All built-in Node.js modules now use node: protocol imports (node:stream, node:fs, etc.)
• Uses native promise-based pipeline from node:stream/promises (instead of promisify(pipeline))
• TypeScript target updated to ES2023 (from ES2022)

... (truncated)

Sourced from sitemap's changelog.

9.0.1 — Security Patch

• BB-01: Fix XML injection via unescaped xslUrl in stylesheet processing instruction — special characters (&, ", <, >) in the XSL URL are now escaped before being interpolated into the <?xml-stylesheet?> processing instruction
• BB-02: Enforce 50,000 URL hard limit in XMLToSitemapItemStream — the parser now stops emitting items and emits an error when the limit is exceeded, rather than merely logging a warning
• BB-03: Cap parser error array at 100 entries to prevent memory DoS — XMLToSitemapItemStream now tracks a separate errorCount and stops appending to the errors array beyond LIMITS.MAX_PARSER_ERRORS
• BB-04: Reject absolute destinationDir paths in simpleSitemapAndIndex to prevent arbitrary file writes — passing an absolute path (e.g. /tmp/sitemaps) now throws immediately with a descriptive error
• BB-05: parseSitemapIndex now destroys source and parser streams immediately when the maxEntries limit is exceeded, preventing unbounded memory consumption from large sitemap index files

9.0.0 - 2025-11-01

This major release modernizes the package with ESM-first architecture, drops support for Node.js < 20, and includes comprehensive security and robustness improvements.

[BREAKING CHANGES]

Dropped Node.js < 20 Support

• Node.js >=20.19.5 now required (previously >=14.0.0)
• npm >=10.8.2 now required (previously >=6.0.0)
• Dropped support for Node.js 14, 16, and 18

ESM Conversion with Dual Package Support

• Package now uses "type": "module" in package.json

• Built as dual ESM/CJS package with conditional exports

• Import paths in ESM require .js extensions (TypeScript will add these automatically)

• Both ESM and CommonJS imports continue to work:

  // ESM (new default)
  import { SitemapStream } from 'sitemap'
  // CommonJS (still supported)
  const { SitemapStream } = require('sitemap')
  

• CLI remains ESM-only at dist/esm/cli.js

Build Output Changes

• ESM output: dist/esm/ (was dist/)
• CJS output: dist/cjs/ (new)
• TypeScript definitions: dist/esm/index.d.ts (was dist/index.d.ts)

Node.js Modernization

• All built-in Node.js modules now use node: protocol imports (node:stream, node:fs, etc.)
• Uses native promise-based pipeline from node:stream/promises (instead of promisify(pipeline))
• TypeScript target updated to ES2023 (from ES2022)

New Exports

... (truncated)

• 244f256 Merge pull request #477 from ekalinin/sec-fixes
• 71718f3 chore: bump version to 9.0.1 and add changelog entry
• d19d4c9 fix: destroy streams immediately on maxEntries breach in parseSitemapIndex (B...
• 7ed774e fix: reject absolute destinationDir paths to prevent arbitrary write (BB-04)
• dde5c5e fix: cap parser error collection to prevent memory DoS (BB-03)
• 81df466 fix: enforce 50k URL limit in XMLToSitemapItemStream parser (BB-02)
• 8a8e0b8 fix: prevent XML injection via unvalidated xslUrl in SitemapIndexStream
• 723d8e7 Merge pull request #472 from ekalinin/dependabot/npm_and_yarn/express-5.2.0
• b5138f1 Merge pull request #470 from ekalinin/dependabot/npm_and_yarn/glob-10.5.0
• 52d9477 build(deps-dev): bump express from 5.1.0 to 5.2.0
• Additional commits viewable in compare view

This version adds prepare script that runs during installation. Review the package contents before updating.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)