chore(ci): bump xmldom & ignore uuid advisory to address ci audit failure

[joaoloureirop]

Description

uuid version update in progress https://consensyssoftware.atlassian.net/browse/MCWP-557

Changelog

CHANGELOG entry: null

Related issues

Fixes: https://consensyssoftware.atlassian.net/browse/MCWP-556

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​xmldom/​xmldom@​0.8.12 ⏵ 0.8.13		+40	+1	+4

View full report

[Cal-L]

LGTM

[github-actions]

AI PR Analysis

🚫 Merge safe: false | 🟠 Risk: high

Merge decision: AI analysis did not complete — manual review required before merging.

AI analysis did not complete. Manual review recommended.

View run

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeBrowser
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 88%

click to see 🤖 AI reasoning details

E2E Test Selection:
The changes are minimal and low-risk:

1. @xmldom/xmldom patch bump (^0.8.12 → ^0.8.13): This library is used exclusively in app/util/favicon/index.ts for HTML DOM parsing to extract favicon URLs from web pages. The only affected functionality is favicon loading in the in-app browser. A minor patch update is unlikely to introduce regressions, but SmokeBrowser is selected as a precautionary measure to validate favicon parsing still works correctly in browser navigation flows.

2. .yarnrc.yml audit suppression: Adding advisory 1116970 (uuid buffer bounds check for v3/v5/v6) as an ignored advisory. The app uses uuid v4 and v1 which are unaffected. This is a pure CI/audit configuration change with zero runtime impact.

3. yarn.lock: Lock file update corresponding to the xmldom version bump.

No core controllers, Engine, navigation, confirmations, accounts, or other critical paths are affected. The impact is isolated to the browser favicon utility, making SmokeBrowser the only relevant test tag.

Performance Test Selection:
The changes are limited to a minor patch update of @xmldom/xmldom (used only for favicon HTML parsing) and a security advisory suppression in .yarnrc.yml. Neither change affects UI rendering performance, data loading, state management, account/network components, critical user flows, or app startup. No performance tests are warranted.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

✅ E2E Fixture Validation — Schema is up to date
12 value mismatches detected (expected — fixture represents an existing user).
View details

[Cal-L]

LGTM