fix(deps): resolve all Dependabot security alerts

[kherembourg]

Summary

• Bump fast-xml-parser to 5.7.2 in yarn.lock and test-projects/rn-purchasely-test/package-lock.json (alerts #655, #656 — vulnerable < 5.7.0).
• Bump @xmldom/xmldom to 0.9.10 in test-projects/expo-purchasely-test/package-lock.json (alerts #651–#654 — high severity, vulnerable >= 0.9.0, < 0.9.10).
• Tighten the override ranges in both test-projects/*/package.json files so future installs resolve to patched versions.

Test plan

• yarn lint
• yarn typecheck
• yarn test (4 suites, 139 tests)
• Confirm Dependabot closes alerts #651–#656 after merge

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR resolves six Dependabot security alerts by bumping fast-xml-parser to 5.7.2 (fixes CVEs affecting < 5.7.0) and @xmldom/xmldom to 0.9.10 (fixes CVEs affecting 0.9.0–0.9.9), and tightens override floors in both test-project package.json files to prevent vulnerable versions from being resolved on future installs.

Confidence Score: 5/5

Safe to merge — pure dependency security fix with no logic changes and correct version floors applied consistently across both test projects.

All changes are targeted dependency bumps resolving known CVEs. The resolved versions (fast-xml-parser 5.7.2, @xmldom/xmldom 0.9.10) satisfy the new override floors, lock files are consistent, and the previously-flagged inconsistency in the expo fast-xml-parser override was already corrected in commit 6043cc2.

No files require special attention.

Important Files Changed

Filename	Overview
test-projects/expo-purchasely-test/package.json	Tightens @xmldom/xmldom override to >=0.9.10 and fast-xml-parser override to >=5.7.0 — both correct floors to prevent vulnerable resolutions on reinstall.
test-projects/rn-purchasely-test/package.json	Tightens fast-xml-parser override from >=4.5.4 to >=5.7.0, matching the expo project and blocking any vulnerable 4.x/5.x-below-5.7.0 resolution.
yarn.lock	Bumps fast-xml-parser resolution from 5.6.0 → 5.7.2, with transitive updates to @nodable/entities (1.1.0 → 2.1.0) and fast-xml-builder (1.1.4 → 1.1.5).
test-projects/expo-purchasely-test/package-lock.json	Locks @xmldom/xmldom to 0.9.10 (up from 0.9.9), eliminating the high-severity vulnerability window (0.9.0–0.9.9).
test-projects/rn-purchasely-test/package-lock.json	Locks fast-xml-parser to 5.7.2 (up from 5.6.0), closing the vulnerability for the RN CLI test project.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[npm/yarn install] --> B{override floor check}
    B -->|fast-xml-parser| C["floor: >=5.7.0 both projects"]
    B -->|xmldom| D["floor: >=0.9.10 expo only"]
    C --> E["Resolves to 5.7.2 safe"]
    D --> F["Resolves to 0.9.10 safe"]
    E --> G[No CVE]
    F --> G

    subgraph Before
        H["fast-xml-parser >=4.5.4 resolved 5.6.0 CVE"]
        I["xmldom >=0.8.12 resolved 0.9.9 CVE"]
    end

    subgraph After
        E
        F
    end

Loading

_{Reviews (2): Last reviewed commit: "fix(deps): tighten fast-xml-parser overr..." | Re-trigger Greptile}

[kherembourg]

All 1 finding addressed in 6043cc2:

#	Finding	Fix
1	Inconsistent fast-xml-parser override leaves expo project vulnerable	Tightened override in test-projects/expo-purchasely-test/package.json from >=4.5.4 to >=5.7.0 to match the rn-purchasely-test floor.

[kherembourg]

@greptileai review