@blamejs/core 0.15.67 → 0.15.68

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/lib/xml-c14n.js CHANGED
@@ -186,7 +186,12 @@ function parse(xml) {
186
186
  });
187
187
  }
188
188
 
189
- function parseElement() {
189
+ function parseElement(depth) {
190
+ // Nesting-depth cap threaded through the recursion and enforced at
191
+ // entry, so deeply-nested untrusted XML is refused before it overflows
192
+ // the stack — a recursive-descent parser is otherwise a stack-
193
+ // exhaustion DoS on hostile SAML / WebDAV input.
194
+ if (depth > MAX_DEPTH) err("max nesting depth (" + MAX_DEPTH + ") exceeded");
190
195
  if (xml.charAt(pos) !== "<") err("expected '<'");
191
196
  pos += 1;
192
197
  var name = readName();
@@ -219,7 +224,6 @@ function parse(xml) {
219
224
  };
220
225
  if (selfClosing) return node;
221
226
 
222
- var depth = 0;
223
227
  var closeTag = "</" + name + ">";
224
228
  while (pos < xml.length) {
225
229
  if (xml.substr(pos, 4) === "<!--") {
@@ -241,12 +245,9 @@ function parse(xml) {
241
245
  // them for SAML.
242
246
  pos = endPi + 2;
243
247
  } else {
244
- depth += 1;
245
- if (depth > MAX_DEPTH) err("max nesting depth (" + MAX_DEPTH + ") exceeded");
246
- var child = parseElement();
248
+ var child = parseElement(depth + 1);
247
249
  child.parent = node;
248
250
  node.children.push(child);
249
- depth -= 1;
250
251
  }
251
252
  } else if (xml.charAt(pos) === "<" && xml.charAt(pos + 1) === "/") {
252
253
  // Closing tag
@@ -268,7 +269,7 @@ function parse(xml) {
268
269
 
269
270
  skipProlog();
270
271
  if (pos >= xml.length) err("no root element");
271
- var root = parseElement();
272
+ var root = parseElement(0);
272
273
  return root;
273
274
  }
274
275
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@blamejs/core",
3
- "version": "0.15.67",
3
+ "version": "0.15.68",
4
4
  "description": "The Node framework that owns its stack.",
5
5
  "license": "Apache-2.0",
6
6
  "author": "blamejs contributors",
package/sbom.cdx.json CHANGED
@@ -2,10 +2,10 @@
2
2
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
3
3
  "bomFormat": "CycloneDX",
4
4
  "specVersion": "1.5",
5
- "serialNumber": "urn:uuid:926ac1ba-da85-48b2-b9f9-671502d7a33e",
5
+ "serialNumber": "urn:uuid:2faab286-8cf4-4f51-98ef-1e9c7cf54d9b",
6
6
  "version": 1,
7
7
  "metadata": {
8
- "timestamp": "2026-06-30T01:05:41.702Z",
8
+ "timestamp": "2026-07-03T00:33:37.868Z",
9
9
  "lifecycles": [
10
10
  {
11
11
  "phase": "build"
@@ -19,14 +19,14 @@
19
19
  }
20
20
  ],
21
21
  "component": {
22
- "bom-ref": "@blamejs/core@0.15.67",
22
+ "bom-ref": "@blamejs/core@0.15.68",
23
23
  "type": "application",
24
24
  "name": "blamejs",
25
- "version": "0.15.67",
25
+ "version": "0.15.68",
26
26
  "scope": "required",
27
27
  "author": "blamejs contributors",
28
28
  "description": "The Node framework that owns its stack.",
29
- "purl": "pkg:npm/%40blamejs/core@0.15.67",
29
+ "purl": "pkg:npm/%40blamejs/core@0.15.68",
30
30
  "properties": [],
31
31
  "externalReferences": [
32
32
  {
@@ -54,7 +54,7 @@
54
54
  "components": [],
55
55
  "dependencies": [
56
56
  {
57
- "ref": "@blamejs/core@0.15.67",
57
+ "ref": "@blamejs/core@0.15.68",
58
58
  "dependsOn": []
59
59
  }
60
60
  ]