## Why Dependabot PR #462 was titled as a fast-xml-parser bump (4.5.3 → 4.5.6) and merged green, but inspection of the merged commit (86fb324) shows the patch did not actually update fast-xml-parser in `pnpm-lock.yaml` — only unrelated transitive deps (`@babel/parser`, `@jridgewell/trace-mapping`, `debug`, `jsesc`) moved. All four `fast-xml-parser@4.5.3` references remained on `main` post-merge. This appears related to bumperbot bug [Shopify/infrasec-bumper#673](Shopify/infrasec-bumper#673) — "Bumper handle nested manifests correctly". The infrasec deep-dive (Mar 11, Rune Madsen) flagged the same class of issue with fast-xml-parser specifically. ## What Reproduces the bump dependabot intended, by running: ``` pnpm update fast-xml-parser --lockfile-only --recursive ``` Result: 5 insertions / 5 deletions in `pnpm-lock.yaml`, all four references updated to 4.5.6 (package definitions + snapshot entries for `@react-native-community/cli-platform-android@19.1.1` and `cli-platform-ios@19.1.1`). No `package.json` change — fast-xml-parser is purely transitive here. ## Context This unblocks the `multirepo-denylist-check` failure on [Shopify/checkout-kit#31](Shopify/checkout-kit#31), which imports this lockfile verbatim under `react-native/`. Once this merges, that import PR will be re-synced from the new source `main` and the denylist check should clear. cc @kieran-osgood-shopify @markmur @danielkift