Skip to content

Add security overrides for @xmldom/xmldom and postcss#579

Merged
jamespepper81 merged 1 commit into
devfrom
claude/epic-feynman-QICvH
May 28, 2026
Merged

Add security overrides for @xmldom/xmldom and postcss#579
jamespepper81 merged 1 commit into
devfrom
claude/epic-feynman-QICvH

Conversation

@jamespepper81
Copy link
Copy Markdown
Contributor

@jamespepper81 jamespepper81 commented May 28, 2026

Description

Add npm package overrides for @xmldom/xmldom and postcss to enforce minimum secure versions and mitigate potential vulnerabilities in transitive dependencies.

Type of Change

  • 🔒 Security improvement

Changes Made

  • Added @xmldom/xmldom override with minimum version >=0.8.13
  • Added postcss override with minimum version >=8.5.10
  • These overrides ensure that any transitive dependencies requiring these packages use secure versions

Security Considerations

  • Addresses known vulnerabilities in older versions of these packages
  • Enforces minimum secure versions across the entire dependency tree
  • No sensitive data or private keys affected

Testing Performed

Automated Testing

  • Dependency resolution verified (lockfile updated)
  • No breaking changes to existing functionality

Checklist

  • My code follows the project's code style guidelines
  • My changes generate no new warnings or errors
  • No secrets, API keys, or sensitive data are committed

Additional Notes

These overrides ensure that even if transitive dependencies pull in older versions of @xmldom/xmldom or postcss, npm will resolve to the specified secure versions instead.

https://claude.ai/code/session_01XBXfKYaVBm1xmeaSQqvTnK

@claude
chore(security): force @xmldom/xmldom and postcss via npm overrides
1a0c3fb 
Adds package.json overrides to force patched versions of two vulnerable
transitive build-tool dependencies:

- @xmldom/xmldom >=0.8.13: fixes 5 HIGH CVEs (XML injection CVSS 7.5,
  DoS, node injection via CDATA/comments/processing instructions). All
  within the same major version — no API break.
- postcss >=8.5.10: fixes GHSA-qx2v-qp2m-jg93 (XSS via unescaped
  </style>, CVSS 6.1). Same major v8.x — no API break.

Both packages appear only in Expo/Metro build tooling, not the app
bundle shipped to users. Reduces npm audit from 6 HIGH + 22 MODERATE
to 0 HIGH + 28 MODERATE. Remaining MODERATE items require Expo SDK 56
or have no upstream fix available.

uuid (<11.1.1) override was evaluated and deferred — forcing v9→v11
risks breaking the native iOS xcode npm package used by
@expo/config-plugins.

https://claude.ai/code/session_01XBXfKYaVBm1xmeaSQqvTnK
@jamespepper81 jamespepper81 merged commit ac6378d into dev May 28, 2026
3 checks passed
@jamespepper81 jamespepper81 deleted the claude/epic-feynman-QICvH branch May 28, 2026 21:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamespepper81 @claude