chore(ci): cherry-pick xmldom 0.8.12 bump (#28424) into release/7.72.0

[chloeYue]

Summary

Cherry-picks PR #28424 (chore(deps): bump @xmldom/xmldom to 0.8.12 + lockfile dedupe) onto release/7.72.0 for inclusion in the release train tracked by PR #27990.

Motivation

Addresses production dependency audit (GHSA-wh4c-j3r5-mjhp) by bumping @xmldom/xmldom to 0.8.12 and deduping yarn.lock so resolved versions align.

Commits (cherry-picked)

• 46057e87e4 — chore(deps): bump @xmldom/xmldom to 0.8.12
• 776772ffcd — chore(deps): dedupe lockfile after xmldom bump
  CHANGELOG entry: null

Testing

• CI green on this PR
• yarn audit:ci / audit expectations as appropriate for release branch

Made with Cursor

---

Note

Low Risk
Low risk dependency-only change: bumps @xmldom/xmldom and updates the lockfile resolution/checksum, with no application code changes.

Overview
Updates the @xmldom/xmldom dependency from ^0.8.10 to ^0.8.12 in package.json.

Refreshes yarn.lock to resolve @xmldom/xmldom to 0.8.12 (updated resolution key/checksum), aligning the lockfile with the bumped version.

^{Reviewed by Cursor Bugbot for commit 307083e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeNetworkExpansion
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 82%

click to see 🤖 AI reasoning details

E2E Test Selection:
The only change is a patch version bump of @xmldom/xmldom from 0.8.11 to 0.8.12. This library is used exclusively in app/util/favicon/index.ts for parsing HTML to extract favicon URLs from dApp websites. The favicon utility is used in the browser/dApp connection context to display site icons.

This is a very narrow, low-risk change:

1. It's a patch-level dependency update (0.8.11 → 0.8.12), likely a bug fix or security patch
2. Only affects favicon display in the browser/dApp context
3. No core wallet functionality, controllers, transactions, or critical paths are affected
4. The DOMParser usage in favicon/index.ts is straightforward and unlikely to be broken by a patch update

Since the change touches browser/dApp functionality (favicon parsing when connecting to dApps), SmokeNetworkExpansion covers dApp connection flows which would exercise the favicon utility. However, given the extremely narrow scope of this change (just favicon display), even this may be conservative. No performance tests are needed as this is a utility library patch with no performance implications.

Performance Test Selection:
The @xmldom/xmldom patch update only affects favicon HTML parsing, which is a lightweight utility operation with no meaningful performance impact. No performance tests are warranted.

View GitHub Actions results

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​xmldom/​xmldom@​0.8.11 ⏵ 0.8.12		+16	+1	+38

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

✅ E2E Fixture Validation — Schema is up to date
17 value mismatches detected (expected — fixture represents an existing user).
View details