Skip to content

chore(package): bump @xmldom/xmldom to ^0.9.0 and rollup to ^2.80.0 to fix security vulnerabilities#190

Open
Jerricho93 wants to merge 1 commit into
videojs:mainfrom
Jerricho93:fix/security-vulnerabilities
Open

chore(package): bump @xmldom/xmldom to ^0.9.0 and rollup to ^2.80.0 to fix security vulnerabilities#190
Jerricho93 wants to merge 1 commit into
videojs:mainfrom
Jerricho93:fix/security-vulnerabilities

Conversation

@Jerricho93
Copy link
Copy Markdown

@Jerricho93 Jerricho93 commented May 19, 2026

Description

Fix security vulnerabilities in npm dependencies.

  • @xmldom/xmldom was pinned at ^0.8.3 which is affected by multiple high/critical advisories (XXE injection and related XML parsing issues). Bumped to ^0.9.0 (currently resolves to 0.9.10). The only usage in this repo is DOMParser.parseFromString() + getElementsByTagName('parsererror'), which is fully compatible with the 0.9.x API.
  • rollup was on a range that included versions <=2.79.2, which are affected by a DOM clobbering vulnerability (high severity). Bumped to ^2.80.0.

Related upstream issue: #189

Specific Changes proposed

  • Bump @xmldom/xmldom from ^0.8.3 to ^0.9.0 in dependencies
  • Bump rollup from ^2.38.0 to ^2.80.0 in devDependencies

Requirements Checklist

  • Feature implemented / Bug fixed
  • Unit Tests updated or fixed
  • Docs/guides updated
  • Reviewed by Two Core Contributors

@Jerricho93 @claude
chore(package): bump @xmldom/xmldom to ^0.9.0 and rollup to ^2.80.0 t…
cb069e6 
…o fix security vulnerabilities

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This was referenced May 19, 2026
Open
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jerricho93