From 5842a686b27b44be4b3a971284325b8ce31ebee9 Mon Sep 17 00:00:00 2001 From: le king fu Date: Fri, 24 Apr 2026 07:13:40 -0400 Subject: [PATCH] fix(security): override @xmldom/xmldom to ^0.8.13 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves 4 HIGH CVE in the xmldom transitive dep chain (Expo CLI + xcode/plist). Not runtime-exploitable in APK (build-time deps only) but cleaned for audit hygiene. - GHSA-2v35-w6hq-6mfw (DoS — uncontrolled recursion in XML serialization) - GHSA-f6ww-3ggp-fr8h (XML injection via DOCTYPE serialization) - GHSA-x6wf-f3px-wcqx (XML injection via processing instruction serialization) - GHSA-j759-j44w-7fr8 (XML injection via comment serialization) Refs #74 Co-Authored-By: Claude Opus 4.7 (1M context) --- package-lock.json | 6 +++--- package.json | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 038d706..e660541 100644 --- a/package-lock.json +++ b/package-lock.json @@ -3816,9 +3816,9 @@ } }, "node_modules/@xmldom/xmldom": { - "version": "0.8.12", - "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.12.tgz", - "integrity": "sha512-9k/gHF6n/pAi/9tqr3m3aqkuiNosYTurLLUtc7xQ9sxB/wm7WPygCv8GYa6mS0fLJEHhqMC1ATYhz++U/lRHqg==", + "version": "0.8.13", + "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.13.tgz", + "integrity": "sha512-KRYzxepc14G/CEpEGc3Yn+JKaAeT63smlDr+vjB8jRfgTBBI9wRj/nkQEO+ucV8p8I9bfKLWp37uHgFrbntPvw==", "license": "MIT", "engines": { "node": ">=10.0.0" diff --git a/package.json b/package.json index 9b73159..0200e82 100644 --- a/package.json +++ b/package.json @@ -64,7 +64,8 @@ "typescript": "~5.9.2" }, "overrides": { - "esbuild": "^0.25.0" + "esbuild": "^0.25.0", + "@xmldom/xmldom": "^0.8.13" }, "private": true } -- 2.45.2