From e770777ecc645439956e52c29ff6205f0c8185a0 Mon Sep 17 00:00:00 2001 From: notgitika Date: Tue, 17 Feb 2026 18:22:28 -0500 Subject: [PATCH] fix: override fast-xml-parser to 5.3.6 for CVE-2026-26278 --- package-lock.json | 12 +++++++----- package.json | 6 ++++++ 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3eddc8ac..edbb75e8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8817,9 +8817,9 @@ "license": "BSD-3-Clause" }, "node_modules/fast-xml-parser": { - "version": "5.3.4", - "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.3.4.tgz", - "integrity": "sha512-EFd6afGmXlCx8H8WTZHhAoDaWaGyuIBoZJ2mknrNxug+aZKjkp0a0dlars9Izl+jF+7Gu1/5f/2h68cQpe0IiA==", + "version": "5.3.6", + "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.3.6.tgz", + "integrity": "sha512-QNI3sAvSvaOiaMl8FYU4trnEzCwiRr8XMWgAHzlrWpTSj+QaCSvOf1h82OEP1s4hiAXhnbXSyFWCf4ldZzZRVA==", "funding": [ { "type": "github", @@ -8828,7 +8828,7 @@ ], "license": "MIT", "dependencies": { - "strnum": "^2.1.0" + "strnum": "^2.1.2" }, "bin": { "fxparser": "src/cli/cli.js" @@ -13594,8 +13594,10 @@ "version": "2.8.2", "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz", "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==", - "extraneous": true, + "dev": true, "license": "ISC", + "optional": true, + "peer": true, "bin": { "yaml": "bin.mjs" }, diff --git a/package.json b/package.json index 061bd82c..15edbcef 100644 --- a/package.json +++ b/package.json @@ -120,6 +120,12 @@ "typescript-eslint": "^8.50.1", "vitest": "^4.0.18" }, + "overridesComments": { + "fast-xml-parser": "CVE-2026-26278: @aws-sdk/xml-builder pins fast-xml-parser@5.3.4 which is vulnerable to DoS via entity expansion. Remove this override once @aws-sdk/xml-builder updates its pin to >=5.3.6." + }, + "overrides": { + "fast-xml-parser": "5.3.6" + }, "engines": { "node": ">=20" },