### Impactxmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing.This breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.### PatchesUpdate to `@xmldom/xmldom@~0.7.7`, `@xmldom/xmldom@~0.8.4` (dist-tag `latest`) or `@xmldom/xmldom@>=0.9.0-beta.4` (dist-tag `next`).### WorkaroundsOne of the following approaches might help, depending on your use case:- Instead of searching for elements in the whole DOM, only search in the `documentElement`.- Reject a document with a document that has more then 1 `childNode`.### References- https://nvd.nist.gov/vuln/detail/CVE-2022-39299- https://github.com/jindw/xmldom/issues/150### For more informationIf you have any questions or comments about this advisory:* Email us at security@xmldom.org