Skip to content

Add security overrides for @xmldom/xmldom and postcss#581

Merged
jamespepper81 merged 2 commits into
mainfrom
dev
May 28, 2026
Merged

Add security overrides for @xmldom/xmldom and postcss#581
jamespepper81 merged 2 commits into
mainfrom
dev

Conversation

@jamespepper81
Copy link
Copy Markdown
Contributor

@jamespepper81 jamespepper81 commented May 28, 2026

No description provided.

claude and others added 2 commits May 28, 2026 21:29
@claude
chore(security): force @xmldom/xmldom and postcss via npm overrides
1a0c3fb 
Adds package.json overrides to force patched versions of two vulnerable
transitive build-tool dependencies:

- @xmldom/xmldom >=0.8.13: fixes 5 HIGH CVEs (XML injection CVSS 7.5,
  DoS, node injection via CDATA/comments/processing instructions). All
  within the same major version — no API break.
- postcss >=8.5.10: fixes GHSA-qx2v-qp2m-jg93 (XSS via unescaped
  </style>, CVSS 6.1). Same major v8.x — no API break.

Both packages appear only in Expo/Metro build tooling, not the app
bundle shipped to users. Reduces npm audit from 6 HIGH + 22 MODERATE
to 0 HIGH + 28 MODERATE. Remaining MODERATE items require Expo SDK 56
or have no upstream fix available.

uuid (<11.1.1) override was evaluated and deferred — forcing v9→v11
risks breaking the native iOS xcode npm package used by
@expo/config-plugins.

https://claude.ai/code/session_01XBXfKYaVBm1xmeaSQqvTnK
@jamespepper81
Merge pull request #579 from BitSleuthAI/claude/epic-feynman-QICvH
ac6378d 
Add security overrides for @xmldom/xmldom and postcss
@jamespepper81 jamespepper81 merged commit fde4354 into main May 28, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamespepper81 @claude