fix: override @xmldom/xmldom to resolve XML injection vulnerability

[Dhruwang]

Summary

• Resolves high severity security alert: xmldom XML injection via unsafe CDATA serialization (@xmldom/xmldom@0.8.11)
• Adds pnpm.overrides to force @xmldom/xmldom to >=0.9.10 (patched version)
• Both plist@3.1.0 and @expo/plist@0.5.2 pin to ^0.8.8, which under semver for 0.x packages won't resolve to 0.9.x — the override is needed to bridge this

Test plan

• pnpm install succeeds, lockfile resolves @xmldom/xmldom to 0.9.10 for all consumers
• All 145 tests pass
• Verify the GitHub security alert is resolved after merge

Resolves ENG-799

🤖 Generated with Claude Code

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Walkthrough

The package.json file has been updated to include a new pnpm.overrides configuration block. This addition specifies a version constraint for a dependency, setting it to require versions >=0.9.10. The change introduces 5 new lines of configuration without removing any existing lines.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: overriding @xmldom/xmldom to resolve a documented XML injection vulnerability, which is the primary purpose of the changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing context about the security vulnerability, the rationale for the override, and test results confirming the fix works.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 19-23: Replace the loose range override for `@xmldom/xmldom` with
the exact patched version 0.9.10 in the pnpm.overrides section of package.json:
change the value currently set to ">=0.9.10" to the exact string "0.9.10" so
builds are deterministic and comply with the repository's exact-version
guideline.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 69ecf67e-9733-4163-93a1-14a843e8de79

📥 Commits

Reviewing files that changed from the base of the PR and between e6487bc and 6c878b3.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud