chore: fix 22 high CVEs - bump fast-xml-parser to 5.3.6#96
Merged
Conversation
… expansion) Fixes GHSA-jmr7-xgp7-cmfj (high severity) - fast-xml-parser DoS through entity expansion in DOCTYPE. Bumps override from 5.3.4 to 5.3.6. This resolves all 22 high severity vulnerabilities which were transitive through @aws-sdk/xml-builder and commit-and-tag-version. Remaining: 7 moderate (ajv ReDoS via eslint/serve - known residuals, require breaking changes to fix).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps the
fast-xml-parseroverride from 5.3.4 → 5.3.6 to fix GHSA-jmr7-xgp7-cmfj (high severity DoS through entity expansion in DOCTYPE).Vulnerabilities Fixed
@aws-sdk/xml-builderandcommit-and-tag-versiondepending onfast-xml-parser@5.3.4Vulnerabilities Remaining (7 moderate)
eslintandserve— fix requires--forcewhich would downgradeserveto 6.x (breaking). Known residual from PR chore: fix npm audit vulnerabilities #92.@eslint-community/eslint-utils,@eslint/js,eslint-config-prettier,eslint-plugin-prettier) — all depend on vulnerable ajv transitively.These are dev-only dependencies and pose no runtime risk.
Test Results
Changes
package.json: overridefast-xml-parser5.3.4 → 5.3.6package-lock.json: updated accordingly