Update dependency xmldom

[karfau]

Switching from package xmldom to @xmldom/xmldom, which resolves the security issue present in latest xmldom version 0.6.0: https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q

The reason is that the maintainers were forced to switch to a scoped package since 0.7.0: https://github.com/xmldom/xmldom/issues/271

• I used node 12 to run npm install.
• I executed npm run test on my machine without failure
• [x] npm run build:types failed since @xmldom/xmldom ships with types. I will push a separate commit to fix that.
• all other steps of npm run prepublishOnly work fine
• I'm assuming this fixes #488

I'm one of the xmldom maintainers. Don't hesitate to ask me questions.

Changes in xmldom since 0.6.0

## [0.8.0](https://github.com/xmldom/xmldom/compare/0.7.5...0.8.0) ### Fixed - Normalize all line endings according to XML specs [1.0](https://w3.org/TR/xml/#sec-line-ends) and [1.1](https://www.w3.org/TR/xml11/#sec-line-ends) \ BREAKING CHANGE: Certain combination of line break characters are normalized to a single `\n` before parsing takes place and will no longer be preserved. - [`#303`](https://github.com/xmldom/xmldom/issues/303) / [`#307`](https://github.com/xmldom/xmldom/pull/307) - [`#49`](https://github.com/xmldom/xmldom/issues/49), [`#97`](https://github.com/xmldom/xmldom/issues/97), [`#324`](https://github.com/xmldom/xmldom/issues/324) / [`#314`](https://github.com/xmldom/xmldom/pull/314) - XMLSerializer: Preserve whitespace character references [`#284`](https://github.com/xmldom/xmldom/issues/284) / [`#310`](https://github.com/xmldom/xmldom/pull/310) \ BREAKING CHANGE: If you relied on the not spec compliant preservation of literal `\t`, `\n` or `\r` in **attribute values**. To preserve those you will have to create XML that instead contains the correct numerical (or hexadecimal) equivalent (e.g. ` `, ` `, ` `). - Drop deprecated exports `DOMImplementation` and `XMLSerializer` from `lib/dom-parser.js` [#53](https://github.com/xmldom/xmldom/issues/53) / [`#309`](https://github.com/xmldom/xmldom/pull/309) BREAKING CHANGE: Use the one provided by the main package export. - dom: Remove all links as part of `removeChild` [`#343`](https://github.com/xmldom/xmldom/issues/343) / [`#355`](https://github.com/xmldom/xmldom/pull/355) ### Chore - ci: Restore latest tested node version to 16.x [`#325`](https://github.com/xmldom/xmldom/pull/325) - ci: Split test and lint steps into jobs [`#111`](https://github.com/xmldom/xmldom/issues/111) / [`#304`](https://github.com/xmldom/xmldom/pull/304) - Pinned and updated devDependencies Thank you [@marrus-sh](https://github.com/marrus-sh), [@victorandree](https://github.com/victorandree), [@mdierolf](https://github.com/mdierolf), [@tsabbay](https://github.com/tsabbay), [@fatihpense](https://github.com/fatihpense) for your contributions ## 0.7.5 [Commits](https://github.com/xmldom/xmldom/compare/0.7.4...0.7.5) ### Fixes: - Preserve default namespace when serializing [`#319`](https://github.com/xmldom/xmldom/issues/319) / [`#321`](https://github.com/xmldom/xmldom/pull/321) Thank you [@lupestro](https://github.com/lupestro) ## 0.7.4 [Commits](https://github.com/xmldom/xmldom/compare/0.7.3...0.7.4) ### Fixes: - Restore ability to parse `__prototype__` attributes [`#315`](https://github.com/xmldom/xmldom/pull/315) Thank you [@dsimsonOMF](https://github.com/dsimsonOMF) ## 0.7.3 [Commits](https://github.com/xmldom/xmldom/compare/0.7.2...0.7.3) ### Fixes: - Add doctype when parsing from string [`#277`](https://github.com/xmldom/xmldom/issues/277) / [`#301`](https://github.com/xmldom/xmldom/pull/301) - Correct typo in error message [`#294`](https://github.com/xmldom/xmldom/pull/294) Thank you [@rrthomas](https://github.com/rrthomas) ### Refactor: - Improve exports & require statements, new main package entry [`#233`](https://github.com/xmldom/xmldom/pull/233) ### Docs: - Fix Stryker badge [`#298`](https://github.com/xmldom/xmldom/pull/298) - Fix link to help-wanted issues [`#299`](https://github.com/xmldom/xmldom/pull/299) ### Chore: - Execute stryker:dry-run on branches [`#302`](https://github.com/xmldom/xmldom/pull/302) - Fix stryker config [`#300`](https://github.com/xmldom/xmldom/pull/300) - Split test and lint scripts [`#297`](https://github.com/xmldom/xmldom/pull/297) - Switch to stryker dashboard owned by org [`#292`](https://github.com/xmldom/xmldom/pull/292) ## 0.7.2 [Commits](https://github.com/xmldom/xmldom/compare/0.7.1...0.7.2) ### Fixes: - Types: Add index.d.ts to packaged files [`#288`](https://github.com/xmldom/xmldom/pull/288) Thank you [@forty](https://github.com/forty) ## 0.7.1 [Commits](https://github.com/xmldom/xmldom/compare/0.7.0...0.7.1) ### Fixes: - Types: Copy types from DefinitelyTyped [`#283`](https://github.com/xmldom/xmldom/pull/283) Thank you [@kachkaev](https://github.com/kachkaev) ### Chore: - package.json: remove author, maintainers, etc. [`#279`](https://github.com/xmldom/xmldom/pull/279) ## 0.7.0 [Commits](https://github.com/xmldom/xmldom/compare/0.6.0...0.7.0) Due to [`#271`](https://github.com/xmldom/xmldom/issue/271) this version was published as - unscoped `xmldom` package to github (git tags [`0.7.0`](https://github.com/xmldom/xmldom/tree/0.7.0) and [`0.7.0+unscoped`](https://github.com/xmldom/xmldom/tree/0.7.0%2Bunscoped)) - scoped `@xmldom/xmldom` package to npm (git tag `0.7.0+scoped`) For more details look at [`#278`](https://github.com/xmldom/xmldom/pull/278#issuecomment-902172483) ### Fixes: - Security: Misinterpretation of malicious XML input [`CVE-2021-32796`](https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q) - Implement `Document.getElementsByClassName` as specified [`#213`](https://github.com/xmldom/xmldom/pull/213), thank you [@ChALkeR](https://github.com/ChALkeR) - Inherit namespace prefix from parent when required [`#268`](https://github.com/xmldom/xmldom/pull/268) - Handle whitespace in closing tags [`#267`](https://github.com/xmldom/xmldom/pull/267) - Update `DOMImplementation` according to recent specs [`#210`](https://github.com/xmldom/xmldom/pull/210) BREAKING CHANGE: Only if you "passed features to be marked as available as a constructor arguments" and expected it to "magically work". - No longer serializes any namespaces with an empty URI [`#244`](https://github.com/xmldom/xmldom/pull/244) (related to [`#168`](https://github.com/xmldom/xmldom/pull/168) released in 0.6.0) BREAKING CHANGE: Only if you rely on ["unsetting" a namespace prefix](https://github.com/xmldom/xmldom/pull/168#issuecomment-886984994) by setting it to an empty string - Set `localName` as part of `Document.createElement` [`#229`](https://github.com/xmldom/xmldom/pull/229), thank you [@rrthomas](https://github.com/rrthomas) ### CI - We are now additionally running tests against node v16 - Stryker tests on the master branch now run against node v14 ### Docs - Describe relations with and between specs: [`#211`](https://github.com/xmldom/xmldom/pull/211), [`#247`](https://github.com/xmldom/xmldom/pull/247)

[karfau]

I'm assuming the npm publish of PR only works when a contributor (re)triggers the build.

[bourgeoa]

@karfau You are right. It does work when I merge. May be you should have made your PR to a rdflib branch ? I have not implemented the action workflow, If you have anything to propose to resolve that it would be nice.

Thanks for your PR.

[karfau]

@bourgeoa As far as I can see it has to do with the fact that external contributors can not have access to the same secrets as maintainers, otherwise it would be to easy to extract them.

So there is nothing to propose or change about that. But if the maintainers want to be sure they can rerun the jobs, which gives it access to the secrets.

Thx for landing the PR and happy coding

[karfau]

PS: Since all existing xmldom versions have security issues you might want to evaluate if it's reasonable to deprecate version using that dependency. It depends on, if the XML can be provided/modified by a potential attacker aka if it has to be treated as insecure user input anywhere.