From ae00bcbeca4121be667290e8963702ef4d6eeb8d Mon Sep 17 00:00:00 2001
From: Lucie Germain <116178070+lucie-germain@users.noreply.github.com>
Date: Fri, 22 May 2026 10:11:59 +0200
Subject: [PATCH] [Security Upgrade]: pin @xmldom/xmldom to 0.8.13 (#33373)

Adds a resolution in root package.json to force all consumers to
@xmldom/xmldom@0.8.13, fixing GHSA-wh4c-j3r5-mjhp, GHSA-j759-j44w-7fr8,
GHSA-x6wf-f3px-wcqx, GHSA-f6ww-3ggp-fr8h, and GHSA-2v35-w6hq-6mfw.

The vulnerable 0.7.13 entry in yarn.lock is replaced by 0.8.13
(minimum safe version across all five advisories).

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
GitOrigin-RevId: e1a301e3a1d637894284f35238ca0e8c23534276
---
 package.json |  1 +
 yarn.lock    | 15 ++++-----------
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/package.json b/package.json
index f99141bd1c..9145b49819 100644
--- a/package.json
+++ b/package.json
@@ -32,6 +32,7 @@
     "node": ">=20.0.0"
   },
   "resolutions": {
+    "@xmldom/xmldom": "0.8.13",
     "argparse/underscore": "1.13.8",
     "sandboxed-module": "patch:sandboxed-module@npm%3A2.0.4#~/.yarn/patches/sandboxed-module-npm-2.0.4-f8b45aacc9.patch",
     "request/tough-cookie": "5.1.2",
diff --git a/yarn.lock b/yarn.lock
index 836747e379..3cb137cead 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -12485,17 +12485,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@xmldom/xmldom@npm:^0.7.0, @xmldom/xmldom@npm:^0.7.13, @xmldom/xmldom@npm:^0.7.4, @xmldom/xmldom@npm:^0.7.9":
-  version: 0.7.13
-  resolution: "@xmldom/xmldom@npm:0.7.13"
-  checksum: 10c0/cb02e4e8d986acf18578a5f25d1bce5e18d08718f40d8a0cdd922a4c112c8e00daf94de4e43f9556ed147c696b135f2ab81fa9a2a8a0416f60af15d156b60e40
-  languageName: node
-  linkType: hard
-
-"@xmldom/xmldom@npm:^0.8.10, @xmldom/xmldom@npm:^0.8.5":
-  version: 0.8.12
-  resolution: "@xmldom/xmldom@npm:0.8.12"
-  checksum: 10c0/b733c84292d1bee32ef21a05aba8f9063456b51a54068d0b4a1abf5545156ee0b9894b7ae23775b5881b11c35a8a03871d1b514fb7e1b11654cdbee57e1c2707
+"@xmldom/xmldom@npm:0.8.13":
+  version: 0.8.13
+  resolution: "@xmldom/xmldom@npm:0.8.13"
+  checksum: 10c0/06405ee6fffba631abf715a305ace338420ebcea8baf1317f19f2752f5c505952b7df45159908e7be8451a42faa54326b780616ab4d08242b20477b2973da24b
   languageName: node
   linkType: hard