npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@federicocarboni/saxe

v0.8.0

Published

Light-weight and efficient SAX-style XML parser

Downloads

42

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

federicocarbonifedericocarboni

Keywords

xmlparsersaxstreamingnamespaces

Readme

Saxe

Docs Coverage Bundle size

Light-weight and efficient SAX-style XML parser for JavaScript.

Goals

  • Full XML 1.0 and Namespaces in XML 1.0 standard conformance
  • Simple and terse API
  • Reduced code footprint
  • Set a base for other standards built on XML (e.g. XHTML)

Non-Goals

  • XML DTD validation
  • Full DOM implementation
  • Syntax error tolerance
  • Source code analysis or LSP features

XML 1.1 and Namespaces in XML 1.1

XML 1.1 and Namespaces in XML 1.1 are not supported. Documents declaring version 1.1 are parsed as XML 1.0, so features exclusive to version 1.1 are not recognized.

Modern UTF-8 web content is exclusively XML 1.0, which makes XML 1.1 and its namespaces mostly irrelevant.

XML 1.1 is used almost exclusively in legacy or specialized contexts where its niche features and better EBCDIC support might be useful. See XML - Wikipedia § Versions 1.0 and 1.1.

Example

import {SaxParser} from "@federicocarboni/saxe";

const parser = new SaxParser({
  startTag(name, attributes) {
    // Start tag: example
    // Start tag: empty-tag [attr, value]
    console.log("Start tag:", name, ...attributes);
  },
  endTag(name) {
    // End tag: example
    // End tag: empty-tag
    console.log("End tag:", name);
  },
  text(content) {
    // Text: Hello, world!
    console.log("Text:", content);
  },
});
parser.parse("<example>Hello, world!", {stream: true});
parser.parse(`<empty-tag attr="value" />`, {stream: true});
parser.parse("</example>");

Runtime Support

  • Basic XML parsing: any ES2017 runtime. For older runtimes transpiling and polyfilling should be enough.

Document Type Declaration

Many[^1] JavaScript XML parsers simplify handling of the internal DTD subset, by either not checking for well-formedness or ignoring its declarations.

Internal DTD subset parsing is required even for non-validating[^2] processors, this parser implements the entire specification:

  • The internal DTD subset is parsed and checked for well-formedness.
  • ATTLIST declarations are recognized to apply normalization and default values to attributes.
  • ENTITY declarations are recognized to expand entity references.

This process has security implications; so DTD processing can be enabled by configuring SaxOptions.dtd.

External markup declarations and external entities are not required for non-validating[^2] processors and are explicitly not supported.

Security

XML parsers may be subject to a number of possible vulnerabilities, most common attacks exploit external entity resolution and entity expansion.

This parser is strictly non-validating, so by design it should not be vulnerable to any XXE[^3] based attack. Additionally the length of strings collected during parsing is capped to limit the efficacy of other denial-of-service attacks[^4].

Following OWASP recommendations DTD processing is prohibited by default.

new SaxParser(handler, {
  // Reject any DOCTYPE declaration
  dtd: "prohibit", // default
  // Alternatively, allow it but ignore any declarations
  // dtd: "ignore",

  // Enforce stricter limits over strings and values
  // collected during parsing.
  maxAttributesLength: 10000,
  maxElementDepth: 30,
  maxEntityDepth: 5,
  maxEntityLength: 1000,
  maxNameLength: 500,
  maxTextLength: 10000,
})

Known XML Bombs are tested for as part of regular integration tests and the parser is fuzz tested regularly. Despite this being the case, for very sensible or security oriented apps you may want to conduct your own security audit.

[^1]: Other JavaScript XML parsers inspected include isaacs/sax-js, NaturalIntelligence/fast-xml-parser and lddubeau/saxes [^2]: Non-validating XML processors (parsers) do not validate documents, but must still recognize and report well-formedness (syntax) errors. Non-validating processors are not required to fetch and parse external markup declarations and external entities. XML Standard § 5.1 Validating and Non-Validating Processors [^3]: XML External Entity (XXE) Processing | OWASP Foundation [^4]: XML Denial of Service Attacks and Defenses | Microsoft Learn

License

Licensed under the Apache License, Version 2.0. See the LICENSE file for details.