Skip to content

Fix CG alert 415374: Update webdeployment-common to resolve @xmldom/xmldom 0.8.6 vulnerability#22014

Draft
v-abhishera wants to merge 3 commits intomasterfrom
users/v-abhishera/fix-cg-415374-xmldom
Draft

Fix CG alert 415374: Update webdeployment-common to resolve @xmldom/xmldom 0.8.6 vulnerability#22014
v-abhishera wants to merge 3 commits intomasterfrom
users/v-abhishera/fix-cg-415374-xmldom

Conversation

@v-abhishera
Copy link
Copy Markdown
Contributor

@v-abhishera v-abhishera commented Apr 18, 2026

Context

Fix Component Governance alert 415374 — @xmldom/xmldom 0.8.6 vulnerability (CVE-2026-34601) across all affected tasks.
AB#415374


Task Name

  • AzureWebAppV1
  • AzureSpringCloudV0
  • FileTransformV1 (deprecated)
  • FileTransformV2
  • IISWebAppDeploymentOnMachineGroupV0
  • MysqlDeploymentOnMachineGroupV1 (deprecated)

Description

  • Updated azure-pipelines-tasks-webdeployment-common from ^4.265.0/^4.272.0 to ^4.272.1 across 6 tasks
  • This resolves the @xmldom/xmldom 0.8.6 → 0.8.12 vulnerability (CVE-2026-34601)
  • Fixed pre-existing broken L0 tests in MysqlDeploymentOnMachineGroupV1:
    • Moved static field initialization in MysqlClientL0Tests.ts to run after mocks are set up
    • Added mock for webdeployment-common/packageUtility.js to avoid Node 10 globalThis incompatibility in test runner
    • Fixed incorrect exec mock pattern (wrong server name and command format)

Version bumps:

Task Old Version New Version
AzureWebAppV1 1.273.0 1.273.1
AzureSpringCloudV0 0.273.1 0.273.2
FileTransformV1 1.264.0 1.273.0
FileTransformV2 2.270.0 2.273.0
IISWebAppDeploymentOnMachineGroupV0 0.270.0 0.273.0
MysqlDeploymentOnMachineGroupV1 1.266.0 1.274.0

Risk Assessment (Low / Medium / High)

Low — Dependency version bump of an owned common package (webdeployment-common). The xmldom update (0.8.6 → 0.8.12) is a security patch. The archiver upgrade (1.2.0 → 7.0.1) within webdeployment-common uses the same API surface (directory(), pipe(), finalize()). 8 other tasks already on 4.272.1 from PR #21990 with no issues.


Change Behind Feature Flag (Yes / No)

No — dependency version bumps cannot be feature-flagged.


Tech Design / Approach

  • Updated webdeployment-common version constraint in each task's package.json
  • Regenerated package-lock.json via npm install for each task
  • Fixed broken test infrastructure in MysqlDeploymentOnMachineGroupV1

Documentation Changes Required (Yes/No)

No


Unit Tests Added or Updated (Yes / No)

Yes — Fixed pre-existing broken tests in MysqlDeploymentOnMachineGroupV1 (MysqlClientL0Tests.ts, MysqlClientTests.ts).


Additional Testing Performed

  • node make.js build --task <TaskName> — build successful for all 6 tasks
  • node make.js test --task MysqlDeploymentOnMachineGroupV1 --suite L0 — 2/2 tests passing

Logging Added/Updated (Yes/No)

No


Telemetry Added/Updated (Yes/No)

No


Rollback Scenario and Process (Yes/No)

Yes — revert commits to restore previous webdeployment-common versions.


Dependency Impact Assessed and Regression Tested (Yes/No)

Yes — archiver API (directory(), pipe(), finalize()) verified identical between v1 and v7. readable-stream 4.7.0 requires Node >=12, all tasks have Node16+ handlers.


Checklist

  • Related issue linked (if applicable)
  • Task version was bumped — see versioning guide
  • Verified the task behaves as expected

@azure-pipelines
Copy link
Copy Markdown

Azure Pipelines:
Successfully started running 3 pipeline(s).

…mldom 0.8.6 vulnerability

Updated azure-pipelines-tasks-webdeployment-common to ^4.272.1 across 5 tasks to resolve CVE-2026-34601 (@xmldom/xmldom 0.8.6 -> 0.8.12).

Affected tasks:
- AzureWebAppV1 (1.273.0 -> 1.273.1)
- AzureSpringCloudV0 (0.273.1 -> 0.273.2)
- FileTransformV2 (2.270.0 -> 2.273.0)
- IISWebAppDeploymentOnMachineGroupV0 (0.270.0 -> 0.273.0)
- FileTransformV1 [deprecated] (1.264.0 -> 1.273.0)
@v-abhishera v-abhishera force-pushed the users/v-abhishera/fix-cg-415374-xmldom branch from 3f9ce1d to feb1c20 Compare April 19, 2026 07:07
@azure-pipelines
Copy link
Copy Markdown

Azure Pipelines:
Successfully started running 3 pipeline(s).

- Bump azure-pipelines-tasks-webdeployment-common to version 4.272.1 in package.json
- Increment Minor version to 274 in task.json and task.loc.json
@azure-pipelines
Copy link
Copy Markdown

Azure Pipelines:
Successfully started running 3 pipeline(s).

@azure-pipelines
Copy link
Copy Markdown

Azure Pipelines:
Successfully started running 3 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant