Known critical vulnerability: xmldom

[odungern]

Track @xmldom/xmldom vulnerability

Status: 🔴 Known security issue

Context:

• Saxon-JS (required for XSLT 3.0 transformations) depends on @xmldom/xmldom
• @xmldom/xmldom has a critical vulnerability with no fix available
• We need Saxon-JS for ReqIF to PIG transformation at runtime

Tracking:

• Upstream: https://github.com/xmldom/xmldom/issues
• Saxon-JS: https://github.com/Saxonica/Saxon-JS/issues

Alternatives to evaluate:

• xslt3 (CLI only, not runtime)
• Pre-compile all XSLT to JavaScript
• Server-side transformation only
• Wait for Saxon-JS to migrate to different XML parser

Mitigation in place:

• Size limits on input files
• Input validation before parsing
• Only processing trusted test data
• Documented in docs/SECURITY.md