Skip to content

fix(security): bump fast-xml-builder + least-privilege workflow permissions#243

Merged
saurabhjain1592 merged 1 commit into
mainfrom
fix/security-fast-xml-builder-and-workflow-perms
Jun 16, 2026
Merged

fix(security): bump fast-xml-builder + least-privilege workflow permissions#243
saurabhjain1592 merged 1 commit into
mainfrom
fix/security-fast-xml-builder-and-workflow-perms

Conversation

@saurabhjain1592

@saurabhjain1592 saurabhjain1592 commented Jun 16, 2026

Copy link
Copy Markdown
Member

Summary

Clears all three open security alerts on this repo (epic getaxonflow/axonflow-enterprise#2711).

Alert Sev What Fix
Dependabot #32 high fast-xml-builder attribute-value quote bypass (patched 1.1.7) lockfile 1.1.5 -> 1.2.0
Dependabot #31 medium fast-xml-builder comment-value regex bypass (patched 1.1.6) lockfile 1.1.5 -> 1.2.0
CodeQL #8 medium actions/missing-workflow-permissions on heartbeat-real-stack.yml top-level permissions: contents: read

fast-xml-builder is a DEV-only transitive dependency -> no republish

Chain: @aws-sdk/client-bedrock-runtime (devDependency) -> @aws-sdk/core -> @aws-sdk/xml-builder -> fast-xml-parser@5.7.2 -> fast-xml-builder. Every node is marked "dev": true in package-lock.json, so it does not ship to consumers of @axonflow/sdk. The lockfile bump requires no npm republish and package.json is intentionally untouched. 1.2.0 satisfies fast-xml-parser's ^1.1.5 constraint.

Workflow permissions

heartbeat-real-stack.yml only checks out the repo and runs tests (no release, artifact-publish, or PR-comment steps), so contents: read is sufficient. The block is kept byte-identical to the axonflow-sdk-java heartbeat fix for canonical coherence.

Tests

  • npm run build green
  • npm test green (32 suites, 964 passed)

Refs getaxonflow/axonflow-enterprise#2711

Transitive dependency disclosure

Bumping fast-xml-builder 1.1.5 -> 1.2.0 changes its declared deps from
{ path-expression-matcher: ^1.1.3 } to { path-expression-matcher: ^1.5.0, xml-naming: ^0.1.0 }
(verified via npm view fast-xml-builder@1.2.0 dependencies). Effect on package-lock.json:

  • xml-naming@0.1.0 is added (new transitive, absent on origin/main). It is a 0.x package; flagged for visibility. Dev-only ("dev": true).
  • path-expression-matcher constraint moves ^1.1.3 -> ^1.5.0, but the resolved version was already 1.5.0 on origin/main (pulled by other dev tooling), so the installed tree does not change for it. Dev-only ("dev": true).

Both are intended upstream transitives of fast-xml-builder@1.2.0 and are dev-only (the whole chain hangs off the @aws-sdk/client-bedrock-runtime devDependency), so there is no consumer or runtime exposure and no npm republish is needed.

…low perms

Clears two Dependabot alerts on the transitive dev dependency
fast-xml-builder (devDependency @aws-sdk/client-bedrock-runtime ->
@aws-sdk/core -> @aws-sdk/xml-builder -> fast-xml-parser ->
fast-xml-builder):
  - #32 (high)   attribute-value quote bypass   (patched 1.1.7)
  - #31 (medium) comment-value regex bypass     (patched 1.1.6)
1.1.5 -> 1.2.0 satisfies fast-xml-parser's ^1.1.5 constraint.

This is a development-only dependency: it does not ship to consumers of
@axonflow/sdk, so the lockfile bump requires NO npm republish. package.json
is intentionally untouched.

Also clears CodeQL #8 (actions/missing-workflow-permissions) by adding a
top-level least-privilege `permissions: contents: read` block to
heartbeat-real-stack.yml (the workflow only checks out the repo and runs
tests). Block is kept identical to the axonflow-sdk-java fix for coherence.

Refs getaxonflow/axonflow-enterprise#2711

Signed-off-by: Saurabh Jain <saurabh.jain@getaxonflow.com>
@saurabhjain1592 saurabhjain1592 merged commit fbf7f48 into main Jun 16, 2026
18 checks passed
@saurabhjain1592 saurabhjain1592 deleted the fix/security-fast-xml-builder-and-workflow-perms branch June 16, 2026 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant