feat: harden schema validators (#1396)

<!--🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅

You can expedite processing of your PR by using this template to provide
context
and additional information. Before actually opening a PR please make
sure that it
does NOT fall into any of the following categories

🚫 Spam PRs (accidental or intentional) - these will result in a 30-days
or even
∞ ban from interacting with the project depending on reoccurrence and
severity.

🚫 Lazy typo fixing PRs - if you fix a typo in a file, your PR will only
be merged
if all other typos in the same file are also fixed with the same PR

🚫 If you fail to provide any _Description_ below, your PR will be
considered spam.
If you do not check the _Affirmation_ box below, your PR will not be
merged.

🚫 If you do not check one of the _AI Tool Disclosure_ boxes below, your
PR will
not be merged. If you used AI tools to assist you in writing code, but
fail to
provide the required disclosure, your PR will not be merged.

🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅-->

### Description

<!-- ✍️-->
harden schema validators

Resolves or fixes issue: <!-- ✍️ Add GitHub issue number in format
`#0000` or `none` -->

### AI Tool Disclosure

- [x] My contribution does not include any AI-generated content
- [ ] My contribution includes AI-generated content, as disclosed below:
  - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.]`
- LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro
etc.]`
- Prompts: `[Summarize the key prompts or instructions given to the AI
tools]`

### Affirmation

- [x] My code follows the
[CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/CONTRIBUTING.md)
guidelines

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Author: jkowalleck

HISTORY.md

@@ -68,6 +68,7 @@ All notable changes to this project will be documented in this file.
   * Constructor of `Contrib.License.Factories.LicenseFactory` got an injectable argument `spdxExpressionValidate` for validating SPDX License Expressions ([#1348] via [#1382])  
     Suggested implementation is `spdx-expression-parse`.
   * Pulled SPDX license IDs v1.0-3.28.0 (via [#1395])
+  * Hardened schema validators (via [#1396])
 * Dependencies
   * Dependency `packageurl-js` became a suggested (optional peer-dependency) library ([#1348] via [#1378])  
     You may use it to craft and parse PackageURLs downstream.
@@ -85,6 +86,7 @@ All notable changes to this project will be documented in this file.
 [#1380]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1380
 [#1382]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1382
 [#1395]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1395
+[#1396]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1396
 
 ## 9.5.0 -- 2026-03-02
 

src/_optPlug.node/__jsonValidators/ajv.ts

@@ -27,13 +27,14 @@ import addFormats2019 from 'ajv-formats-draft2019'
 import type { ValidationError } from '../../validation/types'
 import type { Functionality, Validator } from '../jsonValidator'
 
-const ajvOptions: AjvOptions = Object.freeze({
+const ajvOptions: Readonly<AjvOptions> = Object.freeze({
   // no defaults => no data alteration
   useDefaults: false,
   strict: false,
   strictSchema: false,
-  addUsedSchema: false
-})
+  addUsedSchema: false,
+  loadSchema: (uri: string) => { throw new Error(`Remote schemas are disabled: ${uri}`) }
+} satisfies AjvOptions)
 
 /** @internal */
 export default (async function (schemaPath: string, schemaMap: Record<string, string> = {}): Promise<Validator> {

src/_optPlug.node/__xmlValidators/libxmljs2.ts

@@ -34,7 +34,7 @@ const xmlParseOptions: Readonly<ParserOptions> = Object.freeze({
   // see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
   noent: false,
   dtdload: false
-})
+} satisfies ParserOptions)
 
 /** @internal */
 export default (async function (schemaPath: string): Promise<Validator> {