&TLDR;

We published 0.7.0 to npm as @xmldom/xmldom and will continue to publish updates there.
To get the security update, you have to switch the package you use in your package.json.

"quick post-mortem" by @brodybits

Types from DefinitelyTyped are now included as of @xmldom/xmldom version 0.7.1.

Here are some stats regarding packages transitioning from one package to the other:

• @xmldom/xmldom @ npm
  • 
  • 
  • socket.dev
• xmldom @ npm
  • (more then 2.5 million are for deprecated versions!)
  • 
  • socket.dev

Historical daily/weekly downloads

We are currently not aware of a badge that gives accurate numbers for dependents, data is form the 2025-02-13.
according to npm:

• @xmldom/xmldom: 766
• xmldom: 2412
  according to Github:
• 

Original Summary

To update the library to the newest version including the latest security fix you will have to install to from the github repo or download the artifact from the github release and install it locally.

For details of how to do that and asking questions please use the related discussion

We have filed a ticket at the npm support team addressing the issue.

We will Post updates about the current status here but lock this issue to only allow additions by maintainers, to allow people to subscribe and get informed when something changes.

Quick background from @brodybits

• Original xmldom was published from: https://github.com/jindw/xmldom
• xmldom was hard-forked into the current location and continued to be published as xmldom until 0.6.0, as described in CHANGELOG.md
• Current authors were removed from the xmldom package on npm
• now published as @xmldom/xmldom
• posted quick post-mortem below