@ts-graphviz/ast 3.0.4-next-6966a6699e87e2c74e7348aa6fdc2c50ae11b308 → 3.0.4-next-52e3f1ff58a77bf9bd9a0d0b6e29edb20e3700e5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +5 -1
  2. package/README.md +5 -1
  3. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # @ts-graphviz/ast
2
2
 
3
- ## 3.0.4-next-6966a6699e87e2c74e7348aa6fdc2c50ae11b308
3
+ ## 3.0.4-next-52e3f1ff58a77bf9bd9a0d0b6e29edb20e3700e5
4
4
 
5
5
  ### Patch Changes
6
6
 
@@ -23,6 +23,10 @@
23
23
  **Breaking Changes:**
24
24
  None. This is a backward-compatible security fix with sensible defaults.
25
25
 
26
+ - [#1530](https://github.com/ts-graphviz/ts-graphviz/pull/1530) [`52e3f1f`](https://github.com/ts-graphviz/ts-graphviz/commit/52e3f1ff58a77bf9bd9a0d0b6e29edb20e3700e5) Thanks [@kamiazya](https://github.com/kamiazya)! - Clarify security model: GraphViz HTML-like labels vs browser HTML
27
+
28
+ Add documentation clarifying that HTML-like labels are part of the GraphViz DOT language specification and are not browser HTML. This helps prevent confusion about XSS risks, which occur when rendering GraphViz output in browsers, not when generating DOT strings.
29
+
26
30
  ## 3.0.3
27
31
 
28
32
  ### Patch Changes
package/README.md CHANGED
@@ -80,7 +80,11 @@ const ast = parse(dotString, {
80
80
  });
81
81
  ```
82
82
 
83
- **Security Note**: The `maxHtmlNestingDepth` option limits the depth of nested HTML-like structures in DOT files to prevent stack overflow attacks. The default limit of 100 is sufficient for normal use cases (typically <10 levels). Increase this value only if you have legitimate deeply nested HTML structures.
83
+ **Security Note**:
84
+ - The `maxHtmlNestingDepth` option limits the depth of nested HTML-like structures in DOT files to prevent stack overflow attacks
85
+ - The default limit of 100 is sufficient for normal use cases (typically <10 levels)
86
+ - HTML-like labels are GraphViz DOT syntax, not browser HTML
87
+ - For processing untrusted DOT files, see the validation guide in `@ts-graphviz/adapter` documentation
84
88
 
85
89
  ### Generating DOT Language
86
90
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ts-graphviz/ast",
3
- "version": "3.0.4-next-6966a6699e87e2c74e7348aa6fdc2c50ae11b308",
3
+ "version": "3.0.4-next-52e3f1ff58a77bf9bd9a0d0b6e29edb20e3700e5",
4
4
  "description": "Graphviz AST(Abstract Syntax Tree) Utilities",
5
5
  "keywords": [],
6
6
  "homepage": "https://github.com/ts-graphviz/ts-graphviz#readme",