Skip to content

chore(deps): suppress xmldom CDATA serialization audit advisory#28235

Merged
tommasini merged 1 commit into
mainfrom
chore/ignore-audit-xml-temp
Apr 1, 2026
Merged

chore(deps): suppress xmldom CDATA serialization audit advisory#28235
tommasini merged 1 commit into
mainfrom
chore/ignore-audit-xml-temp

Conversation

@tommasini

@tommasini tommasini commented Apr 1, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

Description

CI yarn npm audit is failing due to advisory 1115765 — an XML injection via unsafe CDATA serialization in xmldom. There is no fix available in our dependency tree yet.

This PR temporarily suppresses the advisory in .yarnrc.yml npmAuditIgnoreAdvisories to unblock CI, following the same pattern used for the existing bn.js suppressions.

Changelog

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

N/A

Screenshots/Recordings

Before

N/A

After

N/A

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Made with Cursor

Note

Medium Risk
Low code-change risk, but it suppresses a known security advisory (xmldom XML injection) so vulnerabilities may go unnoticed until the dependency is upgraded.

Overview
Updates .yarnrc.yml to add advisory 1115765 to npmAuditIgnoreAdvisories, suppressing the xmldom CDATA serialization XML-injection audit finding to unblock yarn npm audit/CI.

Written by Cursor Bugbot for commit f4adc9c. This will update automatically on new commits. Configure here.

@tommasini tommasini self-assigned this Apr 1, 2026
@github-actions

github-actions Bot commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@metamaskbot metamaskbot added the team-mobile-platform Mobile Platform team label Apr 1, 2026
@github-project-automation github-project-automation Bot moved this to Needs dev review in PR review queue Apr 1, 2026
@tommasini tommasini added no-changelog no-changelog Indicates no external facing user changes, therefore no changelog documentation needed skip-sonar-cloud Only used for bypassing sonar cloud when failures are not relevant to the changes. skip-e2e skip E2E test jobs labels Apr 1, 2026
@tommasini tommasini marked this pull request as ready for review April 1, 2026 08:40
@tommasini tommasini enabled auto-merge April 1, 2026 08:40
@github-project-automation github-project-automation Bot moved this from Needs dev review to Review finalised - Ready to be merged in PR review queue Apr 1, 2026
@github-actions

github-actions Bot commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

🔍 Smart E2E Test Selection

⏭️ Smart E2E selection skipped - draft PR

All E2E tests pre-selected.

View GitHub Actions results

@sonarqubecloud

sonarqubecloud Bot commented Apr 1, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@tommasini tommasini added this pull request to the merge queue Apr 1, 2026
Merged via the queue into main with commit 353ba9e Apr 1, 2026
111 of 140 checks passed
@tommasini tommasini deleted the chore/ignore-audit-xml-temp branch April 1, 2026 09:08
@github-project-automation github-project-automation Bot moved this from Review finalised - Ready to be merged to Merged, Closed or Archived in PR review queue Apr 1, 2026
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 1, 2026
@weitingsun weitingsun added release-7.73.0 Issue or pull request that will be included in release 7.73.0 and removed release-101.2.0 labels Apr 1, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@mathieuartu mathieuartu mathieuartu approved these changes

Assignees

@tommasini tommasini

Labels

no-changelog no-changelog Indicates no external facing user changes, therefore no changelog documentation needed release-7.73.0 Issue or pull request that will be included in release 7.73.0 size-XS skip-e2e skip E2E test jobs skip-sonar-cloud Only used for bypassing sonar cloud when failures are not relevant to the changes. team-mobile-platform Mobile Platform team

Projects

PR review queue
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tommasini @mathieuartu @metamaskbot @weitingsun