Compare commits

...

1 Commits

Author SHA1 Message Date
yushen
36a4526960 MUL-2690 fix(deps): force @xmldom/xmldom to ^0.8.13 via pnpm overrides
Pin @xmldom/xmldom to ^0.8.13 in `pnpm.overrides` so every transitive
resolution (currently @expo/plist@0.5.3 and plist@3.1.0, both pulled
through expo) ships a patched build. All four lockfile entries move
from 0.8.12 to 0.8.13.

Closes the four high-severity advisories pnpm audit reports against
the prior 0.8.12 resolution:
- GHSA-2v35-w6hq-6mfw — uncontrolled recursion in serialization (DoS)
- GHSA-f6ww-3ggp-fr8h — XML injection via DocumentType serialization
- GHSA-x6wf-f3px-wcqx — node injection via processing-instruction
- GHSA-j759-j44w-7fr8 — node injection via comment serialization

Using `pnpm.overrides` (not a root direct dep) keeps the transitive
fix scoped to the dependency graph and avoids implying that the
multica codebase consumes xmldom directly.

Verification: `pnpm audit --prod --audit-level high` no longer lists
any @xmldom/xmldom advisories on this branch.

Co-authored-by: multica-agent <github@multica.ai>
2026-05-26 17:08:02 +08:00
2 changed files with 15 additions and 13 deletions

View File

@@ -35,7 +35,8 @@
],
"overrides": {
"@types/react": "catalog:",
"@types/react-dom": "catalog:"
"@types/react-dom": "catalog:",
"@xmldom/xmldom": "^0.8.13"
}
},
"devDependencies": {

25
pnpm-lock.yaml generated
View File

@@ -103,6 +103,7 @@ catalogs:
overrides:
'@types/react': ^19.2.0
'@types/react-dom': ^19.2.0
'@xmldom/xmldom': ^0.8.13
importers:
@@ -419,7 +420,7 @@ importers:
version: 55.0.15(expo@55.0.24)(react-native@0.83.6(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0)
expo-router:
specifier: ~55.0.14
version: 55.0.14(fb4q2ydjsib3h2ixce2lptexem)
version: 55.0.14(28857138dad78e037ca803b5df54c4f8)
expo-secure-store:
specifier: ~55.0.13
version: 55.0.14(expo@55.0.24)
@@ -4693,8 +4694,8 @@ packages:
'@vitest/utils@4.1.0':
resolution: {integrity: sha512-XfPXT6a8TZY3dcGY8EdwsBulFCIw+BeeX0RZn2x/BtiY/75YGh8FeWGG8QISN/WhaqSrE2OrlDgtF8q5uhOTmw==}
'@xmldom/xmldom@0.8.12':
resolution: {integrity: sha512-9k/gHF6n/pAi/9tqr3m3aqkuiNosYTurLLUtc7xQ9sxB/wm7WPygCv8GYa6mS0fLJEHhqMC1ATYhz++U/lRHqg==}
'@xmldom/xmldom@0.8.13':
resolution: {integrity: sha512-KRYzxepc14G/CEpEGc3Yn+JKaAeT63smlDr+vjB8jRfgTBBI9wRj/nkQEO+ucV8p8I9bfKLWp37uHgFrbntPvw==}
engines: {node: '>=10.0.0'}
abbrev@3.0.1:
@@ -11828,7 +11829,7 @@ snapshots:
ws: 8.20.1
zod: 3.25.76
optionalDependencies:
expo-router: 55.0.14(fb4q2ydjsib3h2ixce2lptexem)
expo-router: 55.0.14(28857138dad78e037ca803b5df54c4f8)
react-native: 0.83.6(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0)
transitivePeerDependencies:
- '@expo/dom-webview'
@@ -11904,7 +11905,7 @@ snapshots:
ws: 8.20.1
zod: 3.25.76
optionalDependencies:
expo-router: 55.0.14(sz7ge56yy7giy7pypish4aerfa)
expo-router: 55.0.14(8e96a26c61ba5d82f3cb5fb823dc6716)
react-native: 0.83.6(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0)
transitivePeerDependencies:
- '@expo/dom-webview'
@@ -12134,7 +12135,7 @@ snapshots:
'@expo/plist@0.5.3':
dependencies:
'@xmldom/xmldom': 0.8.12
'@xmldom/xmldom': 0.8.13
base64-js: 1.5.1
xmlbuilder: 15.1.1
@@ -12175,7 +12176,7 @@ snapshots:
react: 19.2.0
optionalDependencies:
'@expo/metro-runtime': 55.0.11(@expo/dom-webview@55.0.6)(expo@55.0.24)(react-dom@19.2.0(react@19.2.0))(react-native@0.83.6(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0)
expo-router: 55.0.14(fb4q2ydjsib3h2ixce2lptexem)
expo-router: 55.0.14(28857138dad78e037ca803b5df54c4f8)
react-dom: 19.2.0(react@19.2.0)
transitivePeerDependencies:
- supports-color
@@ -12190,7 +12191,7 @@ snapshots:
react: 19.2.0
optionalDependencies:
'@expo/metro-runtime': 55.0.11(@expo/dom-webview@55.0.6)(expo@55.0.24)(react-dom@19.2.3(react@19.2.0))(react-native@0.83.6(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0)
expo-router: 55.0.14(sz7ge56yy7giy7pypish4aerfa)
expo-router: 55.0.14(8e96a26c61ba5d82f3cb5fb823dc6716)
react-dom: 19.2.3(react@19.2.0)
transitivePeerDependencies:
- supports-color
@@ -15146,7 +15147,7 @@ snapshots:
convert-source-map: 2.0.0
tinyrainbow: 3.1.0
'@xmldom/xmldom@0.8.12': {}
'@xmldom/xmldom@0.8.13': {}
abbrev@3.0.1: {}
@@ -17285,7 +17286,7 @@ snapshots:
optionalDependencies:
react-native-worklets: 0.7.4(@babel/core@7.29.0)(react-native@0.83.6(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0)
expo-router@55.0.14(fb4q2ydjsib3h2ixce2lptexem):
expo-router@55.0.14(28857138dad78e037ca803b5df54c4f8):
dependencies:
'@expo/log-box': 55.0.12(@expo/dom-webview@55.0.6)(expo@55.0.24)(react-native@0.83.6(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0)
'@expo/metro-runtime': 55.0.11(@expo/dom-webview@55.0.6)(expo@55.0.24)(react-dom@19.2.0(react@19.2.0))(react-native@0.83.6(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0)
@@ -17333,7 +17334,7 @@ snapshots:
- expo-font
- supports-color
expo-router@55.0.14(sz7ge56yy7giy7pypish4aerfa):
expo-router@55.0.14(8e96a26c61ba5d82f3cb5fb823dc6716):
dependencies:
'@expo/log-box': 55.0.12(@expo/dom-webview@55.0.6)(expo@55.0.24)(react-native@0.83.6(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0)
'@expo/metro-runtime': 55.0.11(@expo/dom-webview@55.0.6)(expo@55.0.24)(react-dom@19.2.3(react@19.2.0))(react-native@0.83.6(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0)
@@ -20369,7 +20370,7 @@ snapshots:
plist@3.1.0:
dependencies:
'@xmldom/xmldom': 0.8.12
'@xmldom/xmldom': 0.8.13
base64-js: 1.5.1
xmlbuilder: 15.1.1