selparsecss-selector 2.0.0 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/README.md +2 -2
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
package/README.md
CHANGED
|
@@ -47,7 +47,7 @@ Please see [API.md](API.md).
|
|
|
47
47
|
|
|
48
48
|
The parser walks the selector AST recursively, both when parsing and when
|
|
49
49
|
serializing it back to a string (`.toString()`). In versions up to and
|
|
50
|
-
including `2.
|
|
50
|
+
including `2.1.0`, a selector with extreme nesting — for example thousands of
|
|
51
51
|
nested `:not(...)` — could recurse deeply enough to overflow the call stack and
|
|
52
52
|
throw `RangeError: Maximum call stack size exceeded`, a potential
|
|
53
53
|
denial-of-service when processing untrusted CSS.
|
|
@@ -66,7 +66,7 @@ parsed CSS, so a malicious selector cannot change it:
|
|
|
66
66
|
|
|
67
67
|
```js
|
|
68
68
|
// Tighten the limit when parsing untrusted input:
|
|
69
|
-
|
|
69
|
+
selparser().processSync(untrustedSelector, {maxNestingDepth: 128});
|
|
70
70
|
```
|
|
71
71
|
|
|
72
72
|
Raising `maxNestingDepth` to a very large value is an explicit, informed choice
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "selparsecss-selector",
|
|
3
3
|
"description": "A lightweight CSS selector parser providing built-in methods to parse, transform, and work with selector strings.",
|
|
4
|
-
"version": "2.
|
|
4
|
+
"version": "2.1.0",
|
|
5
5
|
"devDependencies": {
|
|
6
6
|
"oxfmt": "^0.54.0",
|
|
7
7
|
"oxlint": "^1.69.0",
|