chore(deps): update dependency xmldom to 0.7.0 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change
xmldom	0.6.0 -> 0.7.0

GitHub Vulnerability Alerts

CVE-2021-32796

Impact

xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to one of the fixed versions of @xmldom/xmldom (>=0.7.0)

See issue #​271 for the status of publishing xmldom to npm or join #​270 for Q&A/discussion until it's resolved.

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

• https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
• https://mattermost.com/blog/securing-xml-implementations-across-the-web/

For more information

If you have any questions or comments about this advisory:

• Open an issue in xmldom/xmldom
• Email us: send an email to all addresses that are shown by npm owner ls @​xmldom/xmldom

---

Configuration

📅 Schedule: "" in timezone Europe/Zurich.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[github-actions[bot]]

This PR will trigger no release when merged.

[codecov[bot]]

Codecov Report

Merging #497 (954406b) into main (7b371a6) will not change coverage. The diff coverage is n/a.

@@            Coverage Diff            @@
##              main      #497   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            9         9           
  Lines          260       260           
=========================================
  Hits           260       260           

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 7b371a6...954406b. Read the comment docs.

[trieloff]

:tada: This PR is included in version 3.0.27 :tada:

The release is available on:

• v3.0.27
• GitHub release

Your semantic-release bot :package::rocket: