Replace fast-xml-parser with txml to resolve CVEs

[aaronlippold]

Summary

@mitre/hdf-utilities depends on fast-xml-parser which pulls in fast-xml-builder. Both have active high/moderate CVEs:

• GHSA-5wm8-gmm8-39j9 (high) — fast-xml-builder attribute value bypass
• GHSA-45c6-75p6-83cc (moderate) — fast-xml-builder comment regex bypass

These are the 5th and 6th CVEs for fast-xml-parser in 2025-2026.

Recommendation

Replace fast-xml-parser with txml:

• Zero CVEs
• Zero dependencies
• Smaller bundle size
• Bifrost already uses txml for all XML parsing (CCI, XCCDF) specifically because of these CVEs

The fast-uri transitive CVEs from ajv (GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc) are a separate issue but also affect downstream consumers.

Impact

Every project that depends on @mitre/hdf-schema inherits these vulnerabilities in their dependency tree, causing pnpm audit and OSV-Scanner failures in CI.

[aaronlippold]

@claude fix this issue

[aaronlippold]

@copilot fix this issue.

This is a pnpm monorepo. fast-xml-parser has 4 CVEs in 2026 including a critical XSS (CVE-2024-41818). Replace it with txml which has zero CVEs and is already proven in the sibling project @aesirsystems/xccdf-parser.

Changes needed:

1. Find every package in this monorepo that depends on fast-xml-parser — check all package.json files.
2. For each package, replace the fast-xml-parser import and usage with txml. The APIs differ:
   • fast-xml-parser: new XMLParser(options).parse(xml) returns a JS object tree
   • txml: parse(xml) returns a node array. Use txml.simplify() or txml.filter() for traversal.
3. txml is XXE-safe by design (skips DOCTYPE entirely). Remove any XXE mitigation options that were configured for fast-xml-parser.
4. Remove fast-xml-parser from all package.json dependencies. Add txml where needed.
5. Update any tests that reference fast-xml-parser behavior.
6. Run the full test suite to verify no regressions.
7. Verify pnpm audit no longer reports the CVEs.