Skip to content

chore(deps): update dependency fast-xml-parser to v5.3.8 [security]#2915

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-fast-xml-parser-vulnerability
Open

chore(deps): update dependency fast-xml-parser to v5.3.8 [security]#2915
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-fast-xml-parser-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 27, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
fast-xml-parser 5.3.65.3.8 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-27942

Impact

Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input:

[{
    'foo': [
        { 'bar': [{ '@​_V': 'baz' }] }
    ]
}]

Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content.
What kind of vulnerability is it? Who is impacted?

Patches

Yes, in 5.3.8 and 4.5.4.

Workarounds

Use XML builder with preserveOrder:false or check the input data before passing to builder.

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v5.3.8: handle non-array input for XML builder && support maxNestedTags

Compare Source

v5.3.7: CJS typing fix

Compare Source

What's Changed

New Contributors

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.7

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch 2 times, most recently from e54618d to 24d0f0c Compare March 2, 2026 00:45
@renovate renovate bot changed the title chore(deps): update dependency fast-xml-parser to v5.3.8 [security] chore(deps): update dependency fast-xml-parser to v5.3.8 [security] - autoclosed Mar 2, 2026
@renovate renovate bot closed this Mar 2, 2026
@renovate renovate bot deleted the renovate/npm-fast-xml-parser-vulnerability branch March 2, 2026 17:14
@renovate renovate bot changed the title chore(deps): update dependency fast-xml-parser to v5.3.8 [security] - autoclosed chore(deps): update dependency fast-xml-parser to v5.3.8 [security] Mar 2, 2026
@renovate renovate bot reopened this Mar 2, 2026
@renovate renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch 3 times, most recently from e0b7c41 to a11bbfa Compare March 2, 2026 21:47
bradenmacdonald
bradenmacdonald approved these changes Mar 2, 2026
View reviewed changes
Copy link
Contributor

@bradenmacdonald bradenmacdonald left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke test with problem editor looks good.

@bradenmacdonald bradenmacdonald enabled auto-merge (squash) March 2, 2026 21:48
@renovate renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from a11bbfa to fc162b3 Compare March 5, 2026 09:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bradenmacdonald bradenmacdonald bradenmacdonald approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bradenmacdonald