fix(security): override @xmldom/xmldom to ^0.8.13 (#74) #77

Merged

maximus merged 1 commit from fix/vuln-A-xmldom-override into master

2026-04-24 18:13:57 +00:00

Author	SHA1	Message	Date
le king fu	5842a686b2	fix(security): override @xmldom/xmldom to ^0.8.13 Resolves 4 HIGH CVE in the xmldom transitive dep chain (Expo CLI + xcode/plist). Not runtime-exploitable in APK (build-time deps only) but cleaned for audit hygiene. - GHSA-2v35-w6hq-6mfw (DoS — uncontrolled recursion in XML serialization) - GHSA-f6ww-3ggp-fr8h (XML injection via DOCTYPE serialization) - GHSA-x6wf-f3px-wcqx (XML injection via processing instruction serialization) - GHSA-j759-j44w-7fr8 (XML injection via comment serialization) Refs #74 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-24 07:13:40 -04:00

Author

SHA1

Message

Date

le king fu

5842a686b2

fix(security): override @xmldom/xmldom to ^0.8.13

Resolves 4 HIGH CVE in the xmldom transitive dep chain (Expo CLI + xcode/plist).
Not runtime-exploitable in APK (build-time deps only) but cleaned for audit hygiene.

- GHSA-2v35-w6hq-6mfw (DoS — uncontrolled recursion in XML serialization)
- GHSA-f6ww-3ggp-fr8h (XML injection via DOCTYPE serialization)
- GHSA-x6wf-f3px-wcqx (XML injection via processing instruction serialization)
- GHSA-j759-j44w-7fr8 (XML injection via comment serialization)

Refs #74

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-24 07:13:40 -04:00