chore(deps): bump xmldom and related deps

[julio-rocketchat]

Proposed changes (including videos or screenshots)

Bump dependencies to solve CVEs. Also change apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts to ensure the old behavior is supported and it doesn't break anything.

Issue(s)

https://rocketchat.atlassian.net/browse/VLN-332

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Chores

  • Updated XML-related dependencies and added resolution overrides to ensure consistent installs.
  • Bumped an internal automation action dependency.

• Bug Fixes / Compatibility

  • Adjusted SAML decryption handling to remain compatible with the updated XML library versions.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9e8770f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Bump @xmldom/xmldom to ^0.8.13 in a GitHub Action and pin it via root Yarn resolutions; upgrade xml-encryption from ~3.1.0 → ~4.0.0 in the Meteor app; update SAML decryption calls to pass disallowDecryptionWithInsecureAlgorithm: false when decrypting assertions and subject identifiers.

Changes

Cohort / File(s)	Summary
GitHub Action package .github/actions/update-version-durability/package.json	Update @xmldom/xmldom version constraint from ^0.8.10 → ^0.8.13.
Meteor app package apps/meteor/package.json	Bump xml-encryption dependency from ~3.1.0 → ~4.0.0.
Root workspace package package.json	Add Yarn resolutions forcing @xmldom/xmldom@0.8.13 for xml-crypto and xml-encryption paths; retain existing @react-aria/toolbar pin.
SAML response parsing apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts	Pass disallowDecryptionWithInsecureAlgorithm: false to xmlenc.decrypt calls for decrypting EncryptedAssertion → Assertion and EncryptedID → Subject to allow decryption with insecure algorithms under xml-encryption@~4.0.0.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

suggested_labels: area: authentication

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: bumping xmldom and related dependencies (xml-encryption, xml-crypto) across multiple package.json files and configuration updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• VLN-332: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

package.json (1)

78-78: Keep the React Aria resolution out of this XML CVE PR if it is incidental.

Line 78 changes an unrelated package resolution. If this came from install drift, please split/revert it or call out why it is required for this dependency bump.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 78, The change adds an incidental package resolution
entry "@react-aria/toolbar@npm:^3.0.0-nightly.5042" in package.json which is
unrelated to the CVE PR; either remove/revert that resolution line from this PR
or split it into a separate commit/PR with an explicit rationale. Locate the
resolution key string "@react-aria/toolbar@npm:^3.0.0-nightly.5042" in
package.json, revert that single resolution line (or move it to a new branch/PR)
and, if it must remain, add a short note in the PR description explaining why
this resolution is required and how it arose (install drift vs deliberate bump).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Line 78: The change adds an incidental package resolution entry
"@react-aria/toolbar@npm:^3.0.0-nightly.5042" in package.json which is unrelated
to the CVE PR; either remove/revert that resolution line from this PR or split
it into a separate commit/PR with an explicit rationale. Locate the resolution
key string "@react-aria/toolbar@npm:^3.0.0-nightly.5042" in package.json, revert
that single resolution line (or move it to a new branch/PR) and, if it must
remain, add a short note in the PR description explaining why this resolution is
required and how it arose (install drift vs deliberate bump).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c70c4c14-9960-4a0d-8cd5-152a7e3b5834

📥 Commits

Reviewing files that changed from the base of the PR and between aa6187e and 257882d.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• .github/actions/update-version-durability/package.json
• apps/meteor/package.json
• package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

📚 Learning: 2026-02-24T19:05:56.710Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

Applied to files:

• package.json

📚 Learning: 2026-02-25T20:10:16.987Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.

Applied to files:

• apps/meteor/package.json

🔇 Additional comments (4)

apps/meteor/package.json (2)

166-166: Looks aligned with the xmldom CVE remediation.

The app has direct SAML parser usage of @xmldom/xmldom, so moving the direct dependency to the patched 0.9.x line is appropriate.

---

309-309: Test xml-encryption@4.0.0 compatibility with SAML providers before merging.

The upgrade to xml-encryption@4.0.0 introduces breaking changes: CBC algorithms (AES-128-CBC, AES-256-CBC) are now marked insecure and blocked by default. The type definitions remain at @types/xml-encryption@1.2.4, which predates these security changes.

The decrypt calls at lines 213 and 354 in Response.ts will fail at runtime if SAML providers send assertions encrypted with CBC modes. Confirm either:

• SAML providers use AES-256-GCM or other non-CBC algorithms, or
• Pass disallowDecryptionWithInsecureAlgorithm: false in decrypt options for CBC support

.github/actions/update-version-durability/package.json (1)

19-19: LGTM for the action dependency bump.

The action imports DOMParser as a named export, which matches the documented xmldom usage pattern, and this keeps the workflow dependency aligned with the CVE remediation.

package.json (1)

79-80: The @xmldom/xmldom override is compatible with xml-encryption@4.0.0.

The npm registry confirms that xml-encryption@4.0.0 declares @xmldom/xmldom@^0.8.5 as a dependency. The forced override to 0.8.13 satisfies this range (0.8.5 ≤ 0.8.13 < 0.9.0), so the resolution is correct and no incompatible transitive dependency is masked.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/meteor/package.json`:
- Line 309: The SAML decryption may break because xml-encryption v4.0.0 defaults
disallowDecryptionWithInsecureAlgorithm=true and the decrypt calls in
Response.ts create options with only the private key (see the
xmlenc.decrypt(...) calls that build const options = { key:
this.serviceProviderOptions.privateKey };). Update those decrypt option objects
to include disallowDecryptionWithInsecureAlgorithm: false (or conditionally set
based on a config flag) so AES-128-CBC/AES-256-CBC/3DES-encrypted assertions
from existing IdPs can be decrypted, and document/verify against your deployed
IdPs which algorithms are used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3ac86547-8a9b-45c6-8ed6-4f885cab9c9d

📥 Commits

Reviewing files that changed from the base of the PR and between 257882d and 85777a2.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• .github/actions/update-version-durability/package.json
• apps/meteor/package.json

✅ Files skipped from review due to trivial changes (1)

• .github/actions/update-version-durability/package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts`:
- Around line 211-213: Remove the explanatory comment and make the
insecure-decryption toggle configurable: replace the hardcoded
disallowDecryptionWithInsecureAlgorithm: false usage in the Response.ts options
object with a value derived from serviceProviderOptions (e.g., use a new boolean
like allowInsecureDecryptionAlgorithm that defaults to false and invert it for
disallowDecryptionWithInsecureAlgorithm), update the same change where
EncryptedID sets this flag so both locations (the options in Response.ts and the
EncryptedID handling) read the setting from serviceProviderOptions consistently,
and update any code that constructs serviceProviderOptions to accept the new
setting with a secure default.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0a1df0be-adb7-44e0-a94d-38fff3a2d6c1

📥 Commits

Reviewing files that changed from the base of the PR and between 85777a2 and 9e8770f.

📒 Files selected for processing (1)

• apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts

🧠 Learnings (3)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 69.82%. Comparing base (aa6187e) to head (9e8770f).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40270      +/-   ##
===========================================
- Coverage    69.83%   69.82%   -0.02%     
===========================================
  Files         3296     3296              
  Lines       119173   119173              
  Branches     21469    21513      +44     
===========================================
- Hits         83230    83211      -19     
- Misses       32641    32660      +19     
  Partials      3302     3302              

Flag	Coverage Δ
e2e	59.76% <ø> (+0.07%)	⬆️
e2e-api	47.07% <ø> (-0.01%)	⬇️
unit	70.53% <50.00%> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[julio-rocketchat]

/backport 8.4.1

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.4.1-40270
git cherry-pick a8244d483846a98186ea8f097404f3bf53f4eecc
// solve the conflict
git push

after that just run /backport 8.4.1 again

[julio-rocketchat]

/backport 8.4.1

[dionisio-bot]

Pull request #40370 added to Project: "Patch 8.4.1"

[julio-rocketchat]

/backport 8.3.3

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.3.3-40270
git cherry-pick a8244d483846a98186ea8f097404f3bf53f4eecc
// solve the conflict
git push

after that just run /backport 8.3.3 again

[julio-rocketchat]

/backport 8.3.3

[dionisio-bot]

Pull request #40383 added to Project: "Patch 8.3.3"

[julio-rocketchat]

/backport 8.2.3

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.2.3-40270
git cherry-pick a8244d483846a98186ea8f097404f3bf53f4eecc
// solve the conflict
git push

after that just run /backport 8.2.3 again

[julio-rocketchat]

/backport 8.2.3

[dionisio-bot]

Pull request #40428 added to Project: "Patch 8.2.3"