Fix CVE-2026-41672: Update @xmldom/xmldom 0.8.12 to 0.8.13 (CG Alert 433157) by v-abhishera · Pull Request #22096 · microsoft/azure-pipelines-tasks

v-abhishera · 2026-04-29T10:25:05Z

Summary

Resolves Component Governance alert 433157 (CVE-2026-41672) by upgrading the transitive dependency @xmldom/xmldom from 0.8.12 to 0.8.13 across 8 Release Management pipeline tasks.

Related work item: AB#2381968

Root Cause

The azure-pipelines-tasks-webdeployment-common package at version 4.272.1 included @xmldom/xmldom@0.8.12, which is affected by CVE-2026-41672. Version 4.274.0 of the common package ships with the patched @xmldom/xmldom@0.8.13.

Affected Tasks

Task	New Version
AzureFunctionAppContainerV1	1.274.1
AzureFunctionAppV1	1.274.1
AzureFunctionAppV2	2.274.1
AzureMysqlDeploymentV1 (deprecated)	1.274.1
AzureRmWebAppDeploymentV3 (deprecated)	1.274.1
AzureRmWebAppDeploymentV4	1.274.1
AzureRmWebAppDeploymentV5	1.274.1
AzureWebAppContainerV1	1.274.1

Deprecated tasks received this security-only fix per deprecation policy.

Changes Per Task

package-lock.json — updated resolved version of webdeployment-common (4.272.1 → 4.274.0)
task.json / task.loc.json — version bump (Minor 274, Patch 1)

Testing

L0 tests passing
Verified @xmldom/xmldom@0.8.13 resolved in all task node_modules

…dit fix AB#2381968 Resolve CG alert 433157 by running npm audit fix to upgrade azure-pipelines-tasks-webdeployment-common from 4.272.1 to 4.274.0, which includes @xmldom/xmldom 0.8.13. Affected tasks: - AzureFunctionAppContainerV1 - AzureFunctionAppV1 - AzureFunctionAppV2 - AzureMysqlDeploymentV1 - AzureRmWebAppDeploymentV3 - AzureRmWebAppDeploymentV4 - AzureRmWebAppDeploymentV5 - AzureWebAppContainerV1 All task versions bumped to x.274.1.

azure-pipelines · 2026-04-29T10:25:26Z