Update dependency xmldom

[karfau]

Switching from package xmldom to @xmldom/xmldom, which resolves the security issue present in latest xmldom version 0.6.0:
GHSA-5fg8-2547-mr8q

The reason is that the maintainers were forced to switch to a scoped package since 0.7.0:
xmldom/xmldom#271

• I used node 12 to run npm install.
• I executed npm run test on my machine without failure
• npm run build:types failed since @xmldom/xmldom ships with types. I will push a separate commit to fix that.
• all other steps of npm run prepublishOnly work fine
• I'm assuming this fixes vulnerability in jsonld #488

I'm one of the xmldom maintainers. Don't hesitate to ask me questions.

Changes in xmldom since 0.6.0

## [0.8.0](https://github.com/xmldom/xmldom/compare/0.7.5...0.8.0)

Fixed

• Normalize all line endings according to XML specs 1.0 and 1.1
  BREAKING CHANGE: Certain combination of line break characters are normalized to a single \n before parsing takes place and will no longer be preserved.
  • #303 / #307
  • #49, #97, #324 / #314
• XMLSerializer: Preserve whitespace character references #284 / #310
  BREAKING CHANGE: If you relied on the not spec compliant preservation of literal \t, \n or \r in attribute values.
  To preserve those you will have to create XML that instead contains the correct numerical (or hexadecimal) equivalent (e.g. 	, 
, 
).
• Drop deprecated exports DOMImplementation and XMLSerializer from lib/dom-parser.js #53 / #309
  BREAKING CHANGE: Use the one provided by the main package export.
• dom: Remove all links as part of removeChild #343 / #355

Chore

• ci: Restore latest tested node version to 16.x #325
• ci: Split test and lint steps into jobs #111 / #304
• Pinned and updated devDependencies

Thank you @marrus-sh, @victorandree, @mdierolf, @tsabbay, @fatihpense for your contributions

0.7.5

Commits

Fixes:

• Preserve default namespace when serializing #319 / #321
  Thank you @lupestro

0.7.4

Commits

Fixes:

• Restore ability to parse __prototype__ attributes #315
  Thank you @dsimsonOMF

0.7.3

Commits

Fixes:

• Add doctype when parsing from string #277 / #301
• Correct typo in error message #294
  Thank you @rrthomas

Refactor:

• Improve exports & require statements, new main package entry #233

Docs:

• Fix Stryker badge #298
• Fix link to help-wanted issues #299

Chore:

• Execute stryker:dry-run on branches #302
• Fix stryker config #300
• Split test and lint scripts #297
• Switch to stryker dashboard owned by org #292

0.7.2

Commits

Fixes:

• Types: Add index.d.ts to packaged files #288
  Thank you @forty

0.7.1

Commits

Fixes:

• Types: Copy types from DefinitelyTyped #283
  Thank you @kachkaev

Chore:

• package.json: remove author, maintainers, etc. #279

0.7.0

Commits

Due to #271 this version was published as

• unscoped xmldom package to github (git tags 0.7.0 and 0.7.0+unscoped)
• scoped @xmldom/xmldom package to npm (git tag 0.7.0+scoped)
  For more details look at #278

Fixes:

• Security: Misinterpretation of malicious XML input CVE-2021-32796
• Implement Document.getElementsByClassName as specified #213, thank you @ChALkeR
• Inherit namespace prefix from parent when required #268
• Handle whitespace in closing tags #267
• Update DOMImplementation according to recent specs #210
  BREAKING CHANGE: Only if you "passed features to be marked as available as a constructor arguments" and expected it to "magically work".
• No longer serializes any namespaces with an empty URI #244
  (related to #168 released in 0.6.0)
  BREAKING CHANGE: Only if you rely on "unsetting" a namespace prefix by setting it to an empty string
• Set localName as part of Document.createElement #229, thank you @rrthomas

CI

• We are now additionally running tests against node v16
• Stryker tests on the master branch now run against node v14

Docs

• Describe relations with and between specs: #211, #247

[karfau]

I'm assuming the npm publish of PR only works when a contributor (re)triggers the build.

[bourgeoa]

@karfau
You are right. It does work when I merge.
May be you should have made your PR to a rdflib branch ? I have not implemented the action workflow, If you have anything to propose to resolve that it would be nice.

Thanks for your PR.

[karfau]

@bourgeoa As far as I can see it has to do with the fact that external contributors can not have access to the same secrets as maintainers, otherwise it would be to easy to extract them.

So there is nothing to propose or change about that.
But if the maintainers want to be sure they can rerun the jobs, which gives it access to the secrets.

Thx for landing the PR and happy coding

[karfau]

PS: Since all existing xmldom versions have security issues you might want to evaluate if it's reasonable to deprecate version using that dependency.
It depends on, if the XML can be provided/modified by a potential attacker aka if it has to be treated as insecure user input anywhere.