chore(deps): bump @xmldom/xmldom to 0.8.12

[georgewrmarshall]

Description

Bumps @xmldom/xmldom from ^0.8.10 to ^0.8.12 to address the failing production dependency audit (GHSA-wh4c-j3r5-mjhp).

Changelog

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

Feature: Production dependency audit compliance

  Scenario: audit CI passes after xmldom patch update
    Given the repository is on branch chore/fix-audit-xmldom
    When I run yarn audit:ci
    Then no audit suggestions are reported

Screenshots/Recordings

Before

N/A (dependency-only change)

After

N/A (dependency-only change)

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Low Risk
Low risk dependency-only update; main risk is unexpected behavior changes in XML parsing due to the transitive library patch bump.

Overview
Updates the production dependency @xmldom/xmldom from ^0.8.10/0.8.11 to ^0.8.12 and refreshes yarn.lock to lock the new resolved version/checksum, addressing the flagged security advisory.

^{Reviewed by Cursor Bugbot for commit 776772f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Lockfile keeps vulnerable xmldom 0.8.11 instead of deduplicating
  • Ran yarn dedupe to collapse all @xmldom/xmldom ranges to 0.8.12 and removed 0.8.11 from yarn.lock.

Or push these changes by commenting:

@cursor push 83dae2da37

Preview (83dae2da37)

diff --git a/yarn.lock b/yarn.lock
--- a/yarn.lock
+++ b/yarn.lock
@@ -20699,20 +20699,13 @@
   languageName: node
   linkType: hard
 
-"@xmldom/xmldom@npm:^0.8.12":
+"@xmldom/xmldom@npm:^0.8.12, @xmldom/xmldom@npm:^0.8.8, @xmldom/xmldom@npm:^0.x":
   version: 0.8.12
   resolution: "@xmldom/xmldom@npm:0.8.12"
   checksum: 10/0fc20bc72a057a939ed17afc3fb35d6be2eb19e42aa9ba3c78aa8bdf471da0b4b17c2710581ce6a2cd68ce3995c2ee7d689593a70a26df1273c0c9c29dfca257
   languageName: node
   linkType: hard
 
-"@xmldom/xmldom@npm:^0.8.8, @xmldom/xmldom@npm:^0.x":
-  version: 0.8.11
-  resolution: "@xmldom/xmldom@npm:0.8.11"
-  checksum: 10/f6d6ffdf71cf19d9b3c10e978fad40d2f85453bf5b2aa05be8aa0c5ad13f84690c3153316729213cc652d06ec12c605ddb0aa03886f1d73d51b974b4105d31e3
-  languageName: node
-  linkType: hard
-
 "@xmldom/xmldom@npm:~0.7.7":
   version: 0.7.13
   resolution: "@xmldom/xmldom@npm:0.7.13"

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 46057e8. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​xmldom/​xmldom@​0.8.11 ⏵ 0.8.12		+16	+1	+38

View full report

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeNetworkExpansion
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 85%

click to see 🤖 AI reasoning details

E2E Test Selection:
The only change in this PR is a patch-level version bump of @xmldom/xmldom from 0.8.11 to 0.8.12. This library is used exclusively in app/util/favicon/index.ts for parsing HTML documents to extract favicon URLs from dApp websites.

The favicon utility is used in the browser/dApp connection flow to display site icons. A patch bump (0.8.11 → 0.8.12) is a minor update that typically contains bug fixes without breaking API changes. The DOMParser API usage in the favicon utility is straightforward and unlikely to be affected by a patch release.

SmokeNetworkExpansion is selected as it covers dApp connect/disconnect flows where favicon parsing would be exercised. This provides minimal but targeted coverage for the affected code path. No other test areas are meaningfully impacted by this narrow dependency change.

No performance tests are needed as favicon parsing is a lightweight background operation that doesn't impact measurable performance metrics.

Performance Test Selection:
The @xmldom/xmldom patch bump only affects favicon HTML parsing, which is a lightweight background utility operation. This has no measurable impact on app performance metrics like launch time, rendering, or data loading.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud