From bb2f7557874c7e35de616f6570814bc6f17eb826 Mon Sep 17 00:00:00 2001 From: Charly Gomez Date: Mon, 2 Mar 2026 15:39:55 +0100 Subject: [PATCH] fix: Bump fast-xml-parser to 4.5.4 for CVE-2026-25896 Update lockfile to resolve fast-xml-parser@^4.4.1 (transitive via @langchain/anthropic) to 4.5.4, which patches a critical entity encoding bypass via regex injection in DOCTYPE entity names. Fixes https://github.com/getsentry/sentry-javascript/security/dependabot/1108 Co-Authored-By: Claude Opus 4.6 --- yarn.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/yarn.lock b/yarn.lock index c4b44e29e3fa..66400a56bb13 100644 --- a/yarn.lock +++ b/yarn.lock @@ -17048,9 +17048,9 @@ fast-xml-parser@5.3.6, fast-xml-parser@^5.0.7: strnum "^2.1.2" fast-xml-parser@^4.4.1: - version "4.5.0" - resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz#2882b7d01a6825dfdf909638f2de0256351def37" - integrity sha512-/PlTQCI96+fZMAOLMZK4CWG1ItCbfZ/0jx7UIJFChPNrx7tcEgerUgWbeieCM9MfHInUDyK8DWYZ+YrywDJuTg== + version "4.5.4" + resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-4.5.4.tgz#64e52ddf1308001893bd225d5b1768840511c797" + integrity sha512-jE8ugADnYOBsu1uaoayVl1tVKAMNOXyjwvv2U6udEA2ORBhDooJDWoGxTkhd4Qn4yh59JVVt/pKXtjPwx9OguQ== dependencies: strnum "^1.0.5" @@ -28013,9 +28013,9 @@ strip-literal@^3.0.0, strip-literal@^3.1.0: js-tokens "^9.0.1" strnum@^1.0.5: - version "1.0.5" - resolved "https://registry.yarnpkg.com/strnum/-/strnum-1.0.5.tgz#5c4e829fe15ad4ff0d20c3db5ac97b73c9b072db" - integrity sha512-J8bbNyKKXl5qYcR36TIO8W3mVGVHrmmxsd5PAItGkmyzwJvybiw2IVq5nqd0i4LSNSkB/sx9VHllbfFdr9k1JA== + version "1.1.2" + resolved "https://registry.yarnpkg.com/strnum/-/strnum-1.1.2.tgz#57bca4fbaa6f271081715dbc9ed7cee5493e28e4" + integrity sha512-vrN+B7DBIoTTZjnPNewwhx6cBA/H+IS7rfW68n7XxC1y7uoiGQBxaKzqucGUgavX15dJgiGztLJ8vxuEzwqBdA== strnum@^2.1.2: version "2.1.2"