Skip to content

fix(deps): migrate vendored dav lib from xmldom to @xmldom/xmldom#775

Merged
phil-davis merged 1 commit into
masterfrom
fix/xmldom-security-migration
Jul 6, 2026
Merged

fix(deps): migrate vendored dav lib from xmldom to @xmldom/xmldom#775
phil-davis merged 1 commit into
masterfrom
fix/xmldom-security-migration

Conversation

@DeepDiver1975

Copy link
Copy Markdown
Member

What

Migrate the vendored WebDAV/CalDAV/CardDAV client (js/dav) from the abandoned
xmldom package to its maintained successor @xmldom/xmldom (^0.8.13).

Why

[email protected] carries 1 critical + 5 high Dependabot advisories on the
runtime dependency, all with no patch available on the xmldom line
(vulnerable range <= 0.6.0, first_patched_version: none). The project was
renamed to @xmldom/xmldom, where these are fixed. This clears the runtime
security alerts blocking the app for the ownCloud 11 release.

Changes

  • js/dav/lib/parser.jsrequire('@xmldom/xmldom') instead of 'xmldom'.
    The only usage is new DOMParser().parseFromString(str, 'text/xml'), whose
    API is identical across both packages.
  • js/dav/package.json — swap the dependency (@xmldom/xmldom ^0.8.13).
  • js/dav/lib/debug.js — export via module.exports (was export default)
    so the module resolves under a modern bundler. Behaviour is unchanged
    (debug(topic)(message)); all seven require('./debug') call sites and the
    one import debug from './debug' continue to work.
  • js/dav/dav.js — regenerated browser bundle.

Note on the bundle rebuild

dav.js is a prebuilt browser bundle. The original toolchain
(browserify@11 / babel@5, ~2015) no longer installs on current npm, so the
bundle was rebuilt with esbuild (IIFE, global dav, browser platform).

Verification performed:

  • The exported dav API is identical to the previous bundle — 36 exports,
    version 1.8.0 (diffed programmatically).
  • @xmldom/xmldom round-trips a CalDAV/CardDAV multistatus document through
    the parser.js code path.
  • No require('xmldom') remains in the shipped bundle.

The large dav.js diff is entirely the regenerated bundle; the reviewable
change is the three source files above.

The vendored WebDAV/CalDAV/CardDAV client under js/dav bundled the
abandoned `xmldom` package (0.1.x), which carries a critical and several
high-severity advisories with no fix available on that release line
(vulnerable range <= 0.6.0, patched: none). The package was renamed to
`@xmldom/xmldom`; migrate to it (^0.8.13) to clear the advisories.

Changes:
- js/dav/lib/parser.js: require('@xmldom/xmldom') instead of 'xmldom'.
  The DOMParser().parseFromString(str, 'text/xml') API is unchanged.
- js/dav/package.json: swap the dependency.
- js/dav/lib/debug.js: export via module.exports so the mixed ESM/CJS
  sources bundle cleanly under a modern bundler (the original
  browserify 11 / babel 5 toolchain no longer installs). No behaviour
  change — debug(topic)(message) is preserved.
- js/dav/dav.js: regenerated browser bundle. Rebuilt with esbuild;
  the exported `dav` API surface is byte-verified identical to the
  previous bundle (36 exports, version 1.8.0) and the parser round-trips
  a CalDAV/CardDAV multistatus document.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
Signed-off-by: Thomas Müller <[email protected]>
@DeepDiver1975 DeepDiver1975 requested a review from a team as a code owner July 6, 2026 21:22
@phil-davis phil-davis merged commit 0d133ae into master Jul 6, 2026
10 checks passed
@phil-davis phil-davis deleted the fix/xmldom-security-migration branch July 6, 2026 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants