fix(security): override @xmldom/xmldom to ^0.8.13
Resolves 4 HIGH CVE in the xmldom transitive dep chain (Expo CLI + xcode/plist). Not runtime-exploitable in APK (build-time deps only) but cleaned for audit hygiene. - GHSA-2v35-w6hq-6mfw (DoS — uncontrolled recursion in XML serialization) - GHSA-f6ww-3ggp-fr8h (XML injection via DOCTYPE serialization) - GHSA-x6wf-f3px-wcqx (XML injection via processing instruction serialization) - GHSA-j759-j44w-7fr8 (XML injection via comment serialization) Refs #74 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
le king fu
parent
8a0cc97018
commit
5842a686b2
2 changed files with 5 additions and 4 deletions
6
package-lock.json
generated
6
package-lock.json
generated
|
|
@ -3816,9 +3816,9 @@
|
|||
}
|
||||
},
|
||||
"node_modules/@xmldom/xmldom": {
|
||||
"version": "0.8.12",
|
||||
"resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.12.tgz",
|
||||
"integrity": "sha512-9k/gHF6n/pAi/9tqr3m3aqkuiNosYTurLLUtc7xQ9sxB/wm7WPygCv8GYa6mS0fLJEHhqMC1ATYhz++U/lRHqg==",
|
||||
"version": "0.8.13",
|
||||
"resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.13.tgz",
|
||||
"integrity": "sha512-KRYzxepc14G/CEpEGc3Yn+JKaAeT63smlDr+vjB8jRfgTBBI9wRj/nkQEO+ucV8p8I9bfKLWp37uHgFrbntPvw==",
|
||||
"license": "MIT",
|
||||
"engines": {
|
||||
"node": ">=10.0.0"
|
||||
|
|
|
|||
|
|
@ -64,7 +64,8 @@
|
|||
"typescript": "~5.9.2"
|
||||
},
|
||||
"overrides": {
|
||||
"esbuild": "^0.25.0"
|
||||
"esbuild": "^0.25.0",
|
||||
"@xmldom/xmldom": "^0.8.13"
|
||||
},
|
||||
"private": true
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue