fix(deps): update dependency fast-xml-parser to v4 [security] by renovate[bot] · Pull Request #37 · mk2/article-fetcher

renovate · 2023-06-06T20:54:36Z

This PR contains the following updates:

Package	Change	Age	Confidence
fast-xml-parser	`3.18.0` → `4.1.2`

GitHub Vulnerability Alerts

CVE-2023-26920

Impact

As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.

const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");

let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"

const parser = new XMLParser();
let jObj = parser.parse(XMLdata);

console.log(jObj.polluted) // should return hacked

Patches

The problem has been patched in v4.1.2

Workarounds

User can check for "proto" in the XML string before parsing it to the parser.

References

https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

Generating different combined, parser only, builder only, validator only browser bundles
Keeping cjs modules as they can be imported in cjs and esm modules both. Otherwise refer esm branch.

4.0.0-beta.8 / 2021-12-13

call tagValueProcessor for stop nodes

4.0.0-beta.7 / 2021-12-09

fix Validator bug when an attribute has no value but '=' only
XML Builder should suppress unpaired tags by default.
documents update for missing features
refactoring to use Object.assign
refactoring to remove repeated code

4.0.0-beta.6 / 2021-12-05

Support PI Tags processing
Support suppressBooleanAttributes by XML Builder for attributes with value true.

4.0.0-beta.5 / 2021-12-04

fix: when a tag with name "attributes"

4.0.0-beta.4 / 2021-12-02

Support HTML document parsing
skip stop nodes parsing when building the XML from JS object
Support external entites without DOCTYPE
update dev dependency: strnum v1.0.5 to fix long number issue

4.0.0-beta.3 / 2021-11-30

support global stopNodes expression like "*.stop"
support self-closing and paired unpaired tags
fix: CDATA should not be parsed.
Fix typings for XMLBuilder (#396)(By Anders Emil Salvesen)
supports XML entities, HTML entities, DOCTYPE entities

⚠️ 4.0.0-beta.2 / 2021-11-19

rename attrMap to attibutes in parser output when preserveOrder:true
supports unpairedTags

⚠️ 4.0.0-beta.1 / 2021-11-18

Parser returns an array now
- to make the structure common
- and to return root level detail
renamed cdataTagName to cdataPropName
Added commentPropName
fix typings

⚠️ 4.0.0-beta.0 / 2021-11-16

Name change of many configuration properties.
- attrNodeName to attributesGroupName
- attrValueProcessor to attributeValueProcessor
- parseNodeValue to parseTagValue
- ignoreNameSpace to removeNSPrefix
- numParseOptions to numberParseOptions
- spelling correction for suppressEmptyNode
Name change of cli and browser bundle to fxparser
isArray option is added to parse a tag into array
preserveOrder option is added to render XML in such a way that the result js Object maintains the order of properties same as in XML.
Processing behaviour of tagValueProcessor and attributeValueProcessor are changes with extra input parameters
j2xparser is renamed to XMLBuilder.
You need to build XML parser instance for given options first before parsing XML.
fix #327, #336: throw error when extra text after XML content
fix #330: attribute value can have '\n',
fix #350: attributes can be separated by '\n' from tagname

`v3.21.1`

Compare Source

`v3.21.0`

Compare Source

`v3.20.3`

Compare Source

`v3.20.0`

Compare Source

`v3.19.0`

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2023-06-06T20:54:37Z

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

➤ YN0000: ┌ Resolution step
➤ YN0000: └ Completed in 0s 508ms
➤ YN0000: ┌ Fetch step
➤ YN0001: │ Error [ERR_STREAM_PREMATURE_CLOSE]: fast-xml-parser@npm:4.1.2: Premature close
    at PassThrough.onclose (node:internal/streams/end-of-stream:154:30)
    at PassThrough.emit (node:events:518:28)
    at emitCloseNT (node:internal/streams/destroy:147:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:81:21)
➤ YN0001: │ Error [ERR_STREAM_PREMATURE_CLOSE]: strnum@npm:1.0.5: Premature close
    at PassThrough.onclose (node:internal/streams/end-of-stream:154:30)
    at PassThrough.emit (node:events:518:28)
    at emitCloseNT (node:internal/streams/destroy:147:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:81:21)
➤ YN0013: │ 783 packages were already cached, 2 had to be fetched
➤ YN0000: └ Completed in 1s 543ms
➤ YN0000: Failed with errors in 2s 58ms

renovate · 2024-07-29T18:45:33Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

➤ YN0000: ┌ Resolution step
➤ YN0000: └ Completed in 0s 412ms
➤ YN0000: ┌ Fetch step
➤ YN0001: │ Error [ERR_STREAM_PREMATURE_CLOSE]: fast-xml-parser@npm:4.1.2: Premature close
    at PassThrough.onclose (node:internal/streams/end-of-stream:166:30)
    at PassThrough.emit (node:events:508:28)
    at emitCloseNT (node:internal/streams/destroy:148:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:89:21)
➤ YN0001: │ Error [ERR_STREAM_PREMATURE_CLOSE]: strnum@npm:1.1.2: Premature close
    at PassThrough.onclose (node:internal/streams/end-of-stream:166:30)
    at PassThrough.emit (node:events:508:28)
    at emitCloseNT (node:internal/streams/destroy:148:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:89:21)
➤ YN0013: │ 783 packages were already cached, 2 had to be fetched
➤ YN0000: └ Completed in 0s 868ms
➤ YN0000: Failed with errors in 1s 285ms

renovate bot changed the title ~~fix(deps): update dependency fast-xml-parser to v4 [security]~~ fix(deps): update dependency fast-xml-parser to v4 [security] - autoclosed Dec 9, 2023

renovate bot closed this Dec 9, 2023

renovate bot deleted the renovate/npm-fast-xml-parser-vulnerability branch December 9, 2023 13:51

renovate bot changed the title ~~fix(deps): update dependency fast-xml-parser to v4 [security] - autoclosed~~ fix(deps): update dependency fast-xml-parser to v4 [security] Dec 9, 2023

renovate bot reopened this Dec 9, 2023

renovate bot restored the renovate/npm-fast-xml-parser-vulnerability branch December 9, 2023 16:53

renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from de394bc to 53fea4b Compare December 9, 2023 16:54

renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 53fea4b to 364605f Compare January 22, 2024 20:28

renovate bot changed the title ~~fix(deps): update dependency fast-xml-parser to v4 [security]~~ fix(deps): update dependency fast-xml-parser to v4 [security] - autoclosed Apr 3, 2024

renovate bot closed this Apr 3, 2024

renovate bot deleted the renovate/npm-fast-xml-parser-vulnerability branch April 3, 2024 13:15

renovate bot restored the renovate/npm-fast-xml-parser-vulnerability branch April 3, 2024 15:36

renovate bot changed the title ~~fix(deps): update dependency fast-xml-parser to v4 [security] - autoclosed~~ fix(deps): update dependency fast-xml-parser to v4 [security] Apr 3, 2024

renovate bot reopened this Apr 3, 2024

renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 364605f to 9a71d96 Compare April 3, 2024 15:37

renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 9a71d96 to 4ee74ff Compare July 29, 2024 18:45

renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 4ee74ff to e044860 Compare October 11, 2024 16:03

renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from e044860 to 16d1224 Compare February 28, 2026 17:43

renovate bot changed the title ~~fix(deps): update dependency fast-xml-parser to v4 [security]~~ fix(deps): update dependency fast-xml-parser to v5 [security] Feb 28, 2026

renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 16d1224 to 84bd71c Compare March 2, 2026 17:14

renovate bot changed the title ~~fix(deps): update dependency fast-xml-parser to v5 [security]~~ fix(deps): update dependency fast-xml-parser to v4 [security] Mar 2, 2026

renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 84bd71c to f4a3a57 Compare March 3, 2026 13:32

fix(deps): update dependency fast-xml-parser to v4 [security]

a171c85

renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from f4a3a57 to a171c85 Compare March 7, 2026 02:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency fast-xml-parser to v4 [security]#37

fix(deps): update dependency fast-xml-parser to v4 [security]#37
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-fast-xml-parser-vulnerability

renovate bot commented Jun 6, 2023 •

edited

Loading

Uh oh!

renovate bot commented Jun 6, 2023 •

edited

Loading

Uh oh!

renovate bot commented Jul 29, 2024 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented Jun 6, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

Release Notes

v4.0.0: v4

Configuration

Uh oh!

renovate bot commented Jun 6, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠ Artifact update problem

File name: yarn.lock

Uh oh!

renovate bot commented Jul 29, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Artifact update problem

File name: yarn.lock

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Jun 6, 2023 •

edited

Loading

`v4.0.0`: v4

renovate bot commented Jun 6, 2023 •

edited

Loading

renovate bot commented Jul 29, 2024 •

edited

Loading