CLDR-19055 site:(deps): Bump sitemap from 9.0.0 to 9.0.1 in /docs/site

[dependabot]

Bumps sitemap from 9.0.0 to 9.0.1.

Release notes

Sourced from sitemap's releases.

9.0.1 — Security Patch

Security Fixes

• BB-01: Fix XML injection via unescaped xslUrl in stylesheet processing instruction
• BB-02: Enforce 50,000 URL hard limit in XMLToSitemapItemStream parser
• BB-03: Cap parser error array at 100 entries to prevent memory DoS
• BB-04: Reject absolute destinationDir paths in simpleSitemapAndIndex to prevent arbitrary file writes
• BB-05: parseSitemapIndex now destroys source and parser streams immediately when maxEntries limit is exceeded
• Many thanks to @​maru1009 For the report

Changelog

Sourced from sitemap's changelog.

9.0.1 — Security Patch

• BB-01: Fix XML injection via unescaped xslUrl in stylesheet processing instruction — special characters (&, ", <, >) in the XSL URL are now escaped before being interpolated into the <?xml-stylesheet?> processing instruction
• BB-02: Enforce 50,000 URL hard limit in XMLToSitemapItemStream — the parser now stops emitting items and emits an error when the limit is exceeded, rather than merely logging a warning
• BB-03: Cap parser error array at 100 entries to prevent memory DoS — XMLToSitemapItemStream now tracks a separate errorCount and stops appending to the errors array beyond LIMITS.MAX_PARSER_ERRORS
• BB-04: Reject absolute destinationDir paths in simpleSitemapAndIndex to prevent arbitrary file writes — passing an absolute path (e.g. /tmp/sitemaps) now throws immediately with a descriptive error
• BB-05: parseSitemapIndex now destroys source and parser streams immediately when the maxEntries limit is exceeded, preventing unbounded memory consumption from large sitemap index files

Commits

• 244f256 Merge pull request #477 from ekalinin/sec-fixes
• 71718f3 chore: bump version to 9.0.1 and add changelog entry
• d19d4c9 fix: destroy streams immediately on maxEntries breach in parseSitemapIndex (B...
• 7ed774e fix: reject absolute destinationDir paths to prevent arbitrary write (BB-04)
• dde5c5e fix: cap parser error collection to prevent memory DoS (BB-03)
• 81df466 fix: enforce 50k URL limit in XMLToSitemapItemStream parser (BB-02)
• 8a8e0b8 fix: prevent XML injection via unvalidated xslUrl in SitemapIndexStream
• 723d8e7 Merge pull request #472 from ekalinin/dependabot/npm_and_yarn/express-5.2.0
• b5138f1 Merge pull request #470 from ekalinin/dependabot/npm_and_yarn/glob-10.5.0
• 52d9477 build(deps-dev): bump express from 5.1.0 to 5.2.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Assignees

The following users could not be added as assignees: btangmu, srl295. Either they do not exist or they do not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.