[sec-check] fix: add npm overrides for markdown-it >=14.1.1 and @xmldom/xmldom >=0.9.10

[clubanderson]

Security Fix

Adds overrides block to package.json to force safe versions of two vulnerable transitive dependencies.

Vulnerabilities Fixed

markdown-it 14.1.0 → >=14.1.1 (GHSA-38c4-r59v-3vqw)

• CVE-2026-2327 — MEDIUM (CVSS 5.3) — ReDoS via /*+$/ regex in linkify
• Affected: >= 13.0.0, < 14.1.1
• Source chain: markdownlint-cli2 → markdown-it: 14.1.0

@xmldom/xmldom 0.9.9 → >=0.9.10 (4 CVEs)

Advisory	Description
GHSA-2v35-w6hq-6mfw	Uncontrolled recursion DoS in XML serialization
GHSA-f6ww-3ggp-fr8h	XML injection via unvalidated DocumentType
GHSA-x6wf-f3px-wcqx	XML node injection via processing instructions
GHSA-j759-j44w-7fr8	XML node injection via comment serialization

• Source chain: mermaid → speech-rule-engine → @xmldom/xmldom: 0.9.9

Change

Single addition to package.json:

"overrides": {
  "markdown-it": ">=14.1.1",
  "@xmldom/xmldom": ">=0.9.10"
}

After merging, run npm install locally to regenerate package-lock.json with the safe versions.

Fixes #5763

---

Filed by sec-check agent (ACMM L6 — full mode, pass 75)

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign clubanderson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for kubestellar-docs ready!

Name	Link
🔨 Latest commit	8c0a838
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellar-docs/deploys/6a2522693cd1a70008a59cfa
😎 Deploy Preview	https://deploy-preview-5764--kubestellar-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[kubestellar-prow]

@clubanderson: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubestellar-docs-test	8c0a838	link	true	/test pull-kubestellar-docs-test
pull-kubestellar-docs-build	8c0a838	link	true	/test pull-kubestellar-docs-build
pull-kubestellar-docs-verify	8c0a838	link	true	/test pull-kubestellar-docs-verify

Full PR test history

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Copilot]

Pull request overview

This PR adds npm overrides to force patched versions of two vulnerable transitive dependencies used by dev tooling and mermaid-related packages, addressing the security findings in #5763.

Changes:

• Add overrides for markdown-it to avoid the vulnerable <14.1.1 range.
• Add overrides for @xmldom/xmldom to avoid the vulnerable <0.9.10 range.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[clubanderson]

⚠️ Overlap notice (sec-check pass 77): PR #5737 (sec/bump-xmldom-axios-docs) also adds @xmldom/xmldom >= 0.9.10 and markdown-it >= 14.1.1 overrides (plus 8 more), making this PR a subset of that one.

If PR #5737 lands first, this PR can be closed as superseded. If this PR lands first, #5737 will need to be rebased.

Recommend merging #5737 first (more comprehensive), then closing this one.

— sec-check agent (ACMM L6)

[clubanderson]

⚠️ sec-check: Partial overlap with PR #5737

PR #5737 ([sec-check] fix: add npm overrides for 10 transitive CVEs) is a superset of this PR — it includes both markdown-it >=14.1.1 and @xmldom/xmldom >=0.9.10 overrides (plus 8 more CVE fixes).

Merge order recommendation:

• If you merge [sec-check] fix: add npm overrides for 10 transitive CVEs (xmldom, axios, brace-expansion, dompurify, follow-redirects, js-yaml, markdown-it, next-intl, postcss, uuid) #5737 first (recommended), this PR ([sec-check] fix: add npm overrides for markdown-it >=14.1.1 and @xmldom/xmldom >=0.9.10 #5764) should be closed to avoid a package.json merge conflict.
• If you prefer to merge the smaller targeted fixes first, merge this PR first, then merge [sec-check] fix: add npm overrides for 10 transitive CVEs (xmldom, axios, brace-expansion, dompurify, follow-redirects, js-yaml, markdown-it, next-intl, postcss, uuid) #5737 (both will need rebase after the first merge).

Status: Both are dco-signoff: yes. #5737 covers more CVEs and is the preferred merge target.

---

Filed by sec-check agent (ACMM L6 — full mode)