deps: upgrade to sax v1.5.0

Author: SethFalco

.github/workflows/publish.yml

@@ -0,0 +1,34 @@
+on:
+  release:
+    types: [created]
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  publish-npm:
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 16
+          registry-url: https://registry.npmjs.org
+      - run: yarn install
+      - run: |
+          VERSION=$(jq -r .version <package.json)
+          if [[ "$VERSION" = *"-rc."* ]]; then
+            yarn npm publish --access public --tag rc
+          else
+            LATEST_VERSION="$(gh release view --json tagName -q '.tagName' --repo ${{ github.repository }})"
+            if [[ "${{ github.ref_name }}" = "$LATEST_VERSION" ]]; then
+              yarn npm publish --access public
+            else
+              MAJOR="$(awk -F '.' '{ print $1 }' <<< "$VERSION")"
+              yarn npm publish --access public --tag "v$MAJOR"
+            fi
+          fi

.yarn/patches/sax-npm-1.5.0-d40bca2226.patch

@@ -0,0 +1,137 @@
+diff --git a/lib/sax.js b/lib/sax.js
+index d35adf1a319b7f064d7a7e43c46630ed5ef587ff..4c5a08844f3be4ddceb12285d3fd133213dcc7e0 100644
+--- a/lib/sax.js
++++ b/lib/sax.js
+@@ -4,8 +4,6 @@
+     return new SAXParser(strict, opt)
+   }
+   sax.SAXParser = SAXParser
+-  sax.SAXStream = SAXStream
+-  sax.createStream = createStream
+ 
+   // When we pass the MAX_BUFFER_LENGTH position, start checking for buffer overruns.
+   // When we check, schedule the next check for MAX_BUFFER_LENGTH - (max(buffer lengths)),
+@@ -191,123 +189,6 @@
+     },
+   }
+ 
+-  var Stream
+-  try {
+-    Stream = require('stream').Stream
+-  } catch (ex) {
+-    Stream = function () {}
+-  }
+-  if (!Stream) Stream = function () {}
+-
+-  var streamWraps = sax.EVENTS.filter(function (ev) {
+-    return ev !== 'error' && ev !== 'end'
+-  })
+-
+-  function createStream(strict, opt) {
+-    return new SAXStream(strict, opt)
+-  }
+-
+-  function SAXStream(strict, opt) {
+-    if (!(this instanceof SAXStream)) {
+-      return new SAXStream(strict, opt)
+-    }
+-
+-    Stream.apply(this)
+-
+-    this._parser = new SAXParser(strict, opt)
+-    this.writable = true
+-    this.readable = true
+-
+-    var me = this
+-
+-    this._parser.onend = function () {
+-      me.emit('end')
+-    }
+-
+-    this._parser.onerror = function (er) {
+-      me.emit('error', er)
+-
+-      // if didn't throw, then means error was handled.
+-      // go ahead and clear error, so we can write again.
+-      me._parser.error = null
+-    }
+-
+-    this._decoder = null
+-
+-    streamWraps.forEach(function (ev) {
+-      Object.defineProperty(me, 'on' + ev, {
+-        get: function () {
+-          return me._parser['on' + ev]
+-        },
+-        set: function (h) {
+-          if (!h) {
+-            me.removeAllListeners(ev)
+-            me._parser['on' + ev] = h
+-            return h
+-          }
+-          me.on(ev, h)
+-        },
+-        enumerable: true,
+-        configurable: false,
+-      })
+-    })
+-  }
+-
+-  SAXStream.prototype = Object.create(Stream.prototype, {
+-    constructor: {
+-      value: SAXStream,
+-    },
+-  })
+-
+-  SAXStream.prototype.write = function (data) {
+-    if (
+-      typeof Buffer === 'function' &&
+-      typeof Buffer.isBuffer === 'function' &&
+-      Buffer.isBuffer(data)
+-    ) {
+-      if (!this._decoder) {
+-        this._decoder = new TextDecoder('utf8')
+-      }
+-      data = this._decoder.decode(data, { stream: true })
+-    }
+-
+-    this._parser.write(data.toString())
+-    this.emit('data', data)
+-    return true
+-  }
+-
+-  SAXStream.prototype.end = function (chunk) {
+-    if (chunk && chunk.length) {
+-      this.write(chunk)
+-    }
+-    // Flush any remaining decoded data from the TextDecoder
+-    if (this._decoder) {
+-      var remaining = this._decoder.decode()
+-      if (remaining) {
+-        this._parser.write(remaining)
+-        this.emit('data', remaining)
+-      }
+-    }
+-    this._parser.end()
+-    return true
+-  }
+-
+-  SAXStream.prototype.on = function (ev, handler) {
+-    var me = this
+-    if (!me._parser['on' + ev] && streamWraps.indexOf(ev) !== -1) {
+-      me._parser['on' + ev] = function () {
+-        var args =
+-          arguments.length === 1 ?
+-            [arguments[0]]
+-          : Array.apply(null, arguments)
+-        args.splice(0, 0, ev)
+-        me.emit.apply(me, args)
+-      }
+-    }
+-
+-    return Stream.prototype.on.call(me, ev, handler)
+-  }
+-
+   // this really needs to be replaced with character classes.
+   // XML allows all manner of ridiculous numbers and digits.
+   var CDATA = '[CDATA['

lib/parser.js

@@ -12,8 +12,7 @@
  * @typedef {import('./types').XastParent} XastParent
  */
 
-// @ts-ignore sax will be replaced with something else later
-const SAX = require('@trysound/sax');
+const SAX = require('sax');
 const JSAPI = require('./svgo/jsAPI.js');
 const { textElems } = require('../plugins/_collections.js');
 
@@ -82,6 +81,7 @@ const config = {
   lowercase: true,
   xmlns: true,
   position: true,
+  unparsedEntities: true,
 };
 
 /**
@@ -113,9 +113,6 @@ const parseSvg = (data, from) => {
     return wrapped;
   };
 
-  /**
-   * @type {(doctype: string) => void}
-   */
   sax.ondoctype = (doctype) => {
     /**
      * @type {XastDoctype}
@@ -183,9 +180,6 @@ const parseSvg = (data, from) => {
     pushToContent(node);
   };
 
-  /**
-   * @type {(data: { name: string, attributes: Record<string, { value: string }>}) => void}
-   */
   sax.onopentag = (data) => {
     /**
      * @type {XastElement}
@@ -204,9 +198,6 @@ const parseSvg = (data, from) => {
     stack.push(element);
   };
 
-  /**
-   * @type {(text: string) => void}
-   */
   sax.ontext = (text) => {
     if (current.type === 'element') {
       // prevent trimming of meaningful whitespace inside textual tags
@@ -237,14 +228,12 @@ const parseSvg = (data, from) => {
     current = stack[stack.length - 1];
   };
 
-  /**
-   * @type {(e: any) => void}
-   */
   sax.onerror = (e) => {
+    const reason = e.message.split('\n')[0];
     const error = new SvgoParserError(
-      e.reason,
-      e.line + 1,
-      e.column,
+      reason,
+      sax.line + 1,
+      sax.column,
       data,
       from
     );

package.json

@@ -1,7 +1,7 @@
 {
   "packageManager": "yarn@2.4.3",
   "name": "svgo",
-  "version": "2.8.0",
+  "version": "2.8.1",
   "description": "Nodejs-based tool for optimizing SVG vector graphics files",
   "license": "MIT",
   "keywords": [
@@ -100,12 +100,12 @@
     ]
   },
   "dependencies": {
-    "@trysound/sax": "0.2.0",
     "commander": "^7.2.0",
     "css-select": "^4.1.3",
     "css-tree": "^1.1.3",
     "csso": "^4.2.0",
     "picocolors": "^1.0.0",
+    "sax": "^1.5.0",
     "stable": "^0.1.8"
   },
   "devDependencies": {
@@ -115,6 +115,7 @@
     "@types/css-tree": "^1.0.6",
     "@types/csso": "^4.2.0",
     "@types/jest": "^27.0.1",
+    "@types/sax": "^1.2.7",
     "del": "^6.0.0",
     "eslint": "^7.32.0",
     "jest": "^27.2.5",
@@ -127,5 +128,8 @@
     "rollup-plugin-terser": "^7.0.2",
     "tar-stream": "^2.2.0",
     "typescript": "^4.4.3"
+  },
+  "resolutions": {
+    "sax@^1.5.0": "patch:sax@npm%3A1.5.0#./.yarn/patches/sax-npm-1.5.0-d40bca2226.patch"
   }
 }

test/regression-extract.js

@@ -39,7 +39,7 @@ const extractTarGz = async (url, baseDir, include) => {
     next();
   });
   const response = await fetch(url);
-  await pipeline(response.body, extract);
+  await pipeline(response.body, zlib.createGunzip(), extract);
 };
 
 (async () => {

test/svgo/billion-laughs-flat.svg

@@ -0,0 +1,23 @@
+const { readFile } = require('node:fs/promises');
+const path = require('path');
+const { optimize } = require('../../lib/svgo.js');
+
+describe('svgo', () => {
+  it('should throw on excessive expansion depth', async () => {
+    const original = await readFile(
+      path.join(__dirname, 'billion-laughs.svg'),
+      'utf-8',
+    );
+    const result = optimize(original);
+    expect(result.error).toMatch('Parsed entity depth exceeds max entity depth');
+  });
+
+  it('should throw on excessive expansion count', async () => {
+    const original = await readFile(
+      path.join(__dirname, 'billion-laughs-flat.svg'),
+      'utf-8',
+    );
+    const result = optimize(original);
+    expect(result.error).toMatch('Parsed entity count exceeds max entity count');
+  });
+});