build(deps): bump @xmldom/xmldom from 0.8.12 to 0.8.13 in /build_scripts/npm_macos

[dependabot]

Bumps @xmldom/xmldom from 0.8.12 to 0.8.13.

Release notes

Sourced from @​xmldom/xmldom's releases.

0.8.13

Commits

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

Changelog

Sourced from @​xmldom/xmldom's changelog.

0.8.13

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

Added

• implement ParentNode.children getter [#960](https://github.com/xmldom/xmldom/issues/960) / [#410](https://github.com/xmldom/xmldom/issues/410)

Fixed

• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp
• correctly traverse ancestor chain in Node.contains [#931](https://github.com/xmldom/xmldom/issues/931)

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

• updated dependencies

Thank you, @​stevenobiajulu, @​yoshi389111, @​thesmartshadow, for your contributions

Commits

• e5c1480 0.8.13
• 9611e20 style: drop unused import in test file
• dc4dff3 docs: add 0.8.13 changelog entry
• 842fa38 fix: prevent stack overflow in normalize (GHSA-2v35-w6hq-6mfw)
• aeff69f test: add normalize behavioral coverage to node.test.js
• cbdb0d7 fix: make walkDOM iterative to prevent stack overflow (GHSA-2v35-w6hq-6mfw)
• 0b543d3 test: assert namespace declarations are isolated between siblings in serializ...
• c007c51 refactor: migrate serializeToString to walkDOM
• 2bb3899 test: add serializeToString coverage for uncovered branches
• e69f38d refactor: migrate importNode to walkDOM
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Low Risk
Low risk lockfile-only dependency bump in build tooling, though it may subtly change XML serialization/traversal behavior for consumers of @xmldom/xmldom in these scripts.

Overview
Updates the macOS build_scripts/npm_macos lockfile to bump @xmldom/xmldom from 0.8.12 to 0.8.13 (updated tarball URL and integrity hashes).

^{Reviewed by Cursor Bugbot for commit 7d23334. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying how @xmldom/xmldom is used in build_scripts/npm_macos and what the lockfile records for the resolved package.

Verdict: benign

Why this looks safe

• Package identity — @xmldom/xmldom on registry.npmjs.org is the real scoped package; 0.8.12 → 0.8.13 is a small patch with public release/compare and linked GitHub Security advisories, not a typosquat or mystery version.
• Lockfile integrity — In build_scripts/npm_macos/package-lock.json, the package is pinned with a normal sha512 integrity field and the expected tarball URL (https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.13.tgz).
• Usage here — It is transitive (not a direct dependency in package.json); it comes in via the existing Electron/dmg tooling graph, which is typical for XML parsing in those stacks.
• Malware scanner vs interpretation — Report is warn only with 0 unicode/confusable/IOC hits. The 21 heuristic hits match benign patterns: XML entity escaping (charCodeAt in serializer logic), substring matches on cross-spawn / base64-js dependency names, and --exec in upstream dev scripts — not evidence of obfuscation or exfiltration. The workflow path touch is in upstream xmldom’s repo between tags; that is not the same as this PR changing Chia’s .github/workflows/, and it does not imply the published npm artifact is compromised.

Actionable follow-up (not malware): npm_linux / npm_windows lockfiles still resolve 0.8.12 in your tree; aligning them later avoids platform skew, but that is consistency, not a supply-chain red flag for this bump.

Compatibility Analysis

Tracing where @xmldom/xmldom appears in the repo and whether our code uses APIs changed in 0.8.13.

1) Where it appears

• build_scripts/npm_macos/package.json does not list @xmldom/xmldom; it only has dmg-license and electron-builder.
• build_scripts/npm_macos/package-lock.json resolves @xmldom/xmldom → 0.8.13 under node_modules/@xmldom/xmldom.
• It is transitive from plist@3.1.0, which declares "@xmldom/xmldom": "^0.8.8" (so 0.8.13 is allowed).
• plist sits in the electron-builder / packaging dependency graph (same pattern in npm_linux / npm_windows lockfiles).
• There are no build_scripts/**/*.js|ts hits for xmldom, DOMParser, or XMLSerializer — no first-party usage in that tree.
• .upstream-dependency/ is a copy of the upstream xmldom repo for review; it is not how the product consumes the npm package.

2) Overlap with 0.8.13 changes

• requireWellFormed on XMLSerializer.serializeToString (and related) is opt-in. Unless plist (or another dependency) passes { requireWellFormed: true }, you do not get new InvalidStateError behavior from that path.
• Iterative DOM walks (serialize, normalize, deep cloneNode/importNode, textContent, collection lookups) are implementation changes; they mainly fix stack overflow on pathological depth (GHSA-2v35-w6hq-6mfw). Typical plist/XML from tooling is not an obvious regression source here.
• Conclusion: Chia does not call these APIs directly; plist’s parse/serialize usage might touch DOMParser / XMLSerializer, but the documented 0.8.13 deltas are backward-compatible by default (new optional behavior + safer traversal).

3) Risks / unknowns

• Transitive behavior: If a dependency relied on undocumented quirks of recursive traversal or on malformed XML that used to serialize “successfully,” behavior could differ in edge cases — low probability for normal plist/build usage.
• Platform skew: npm_linux and npm_windows lockfiles still resolve 0.8.12 (per your tree). This PR only updates macOS; other build images stay on the older patch until lockfiles are refreshed there — supply-chain / advisory consistency caveat, not a functional blocker for this PR.
• CI: Packaging paths that run npm ci under build_scripts/npm_macos should still be green; no code change to validate beyond existing jobs.

4) Recommendation

Merge (treat as merge-with-caveats only if you want to explicitly track: follow up with the same bump in npm_linux / npm_windows for aligned resolution and advisory coverage).

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 12
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: 189cb78a83e81e1515880988a399e863a8be85ac..e5c14802592685bb872c042c54c3f73758875c85
• Resolved refs: from=189cb78a83e81e1515880988a399e863a8be85ac to=e5c14802592685bb872c042c54c3f73758875c85
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 21

Top findings

• lib/dom.js:1562 codepoint_decoder :: (c == '<' && '&lt;') || (c == '>' && '&gt;') || (c == '&' && '&amp;') || (c == '"' && '&quot;') || '&#' + c.charCodeAt() + ';'
• package.json:38 shell_process_spawn :: "start": "nodemon --watch package.json --watch lib --watch test --exec 'npm --silent run test && npm --silent run lint'",
• package-lock.json:2986 shell_process_spawn :: "node_modules/cross-spawn": {
• package-lock.json:2988 shell_process_spawn :: "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
• package-lock.json:3186 shell_process_spawn :: "cross-spawn": "^7.0.3",
• package-lock.json:3554 shell_process_spawn :: "cross-spawn": "^7.0.2",
• package-lock.json:3997 shell_process_spawn :: "cross-spawn": "^7.0.3",
• package-lock.json:7386 shell_process_spawn :: "cross-spawn": "^7.0.3",
• package-lock.json:12188 shell_process_spawn :: "cross-spawn": {
• package-lock.json:12190 shell_process_spawn :: "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
• package-lock.json:12315 shell_process_spawn :: "cross-spawn": "^7.0.3",
• package-lock.json:12576 shell_process_spawn :: "cross-spawn": "^7.0.2",
• package-lock.json:12853 shell_process_spawn :: "cross-spawn": "^7.0.3",
• package-lock.json:15356 shell_process_spawn :: "cross-spawn": "^7.0.3",
• package-lock.json:2095 obfuscation_indicator :: "node_modules/base64-js": {
• package-lock.json:2097 obfuscation_indicator :: "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
• package-lock.json:2376 obfuscation_indicator :: "base64-js": "^1.3.1",
• package-lock.json:11585 obfuscation_indicator :: "base64-js": {
• package-lock.json:11587 obfuscation_indicator :: "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
• package-lock.json:11754 obfuscation_indicator :: "base64-js": "^1.3.1",

[coveralls-official]

Coverage Report for CI Build 24814435060

Coverage decreased (-0.03%) to 91.196%

Details

• Coverage decreased (-0.03%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 61 coverage regressions across 24 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

61 previously-covered lines in 24 files lost coverage.

Top 10 Files by Coverage Loss	Lines Losing Coverage	Coverage
chia/wallet/wallet_node.py	11	86.13%
chia/daemon/server.py	7	80.62%
chia/_tests/core/server/test_event_loop.py	6	89.04%
chia/_tests/core/util/test_lockfile.py	4	88.94%
chia/full_node/full_node.py	3	87.59%
chia/simulator/setup_services.py	3	96.3%
chia/timelord/timelord_launcher.py	3	70.0%
chia/data_layer/data_layer.py	2	85.68%
chia/data_layer/data_store.py	2	95.55%
chia/server/node_discovery.py	2	83.16%

---

Coverage Stats

Relevant Lines:	117497
Covered Lines:	107314
Line Coverage:	91.33%
Relevant Branches:	11720
Covered Branches:	10527
Branch Coverage:	89.82%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls