Resolve fast-xml-parser CVE-2026-26278 via yarn resolution

maeldonn · maeldonn · commit 933be16b0f07 · 2026-03-18T20:29:48.000+01:00
Issue: CLDSRV-868
diff --git a/package.json b/package.json
@@ -20,7 +20,7 @@
   "homepage": "https://github.com/scality/S3#readme",
   "dependencies": {
     "@aws-sdk/client-iam": "^3.930.0",
-    "@aws-sdk/client-s3": "^3.908.0",
+    "@aws-sdk/client-s3": "^3.1012.0",
     "@aws-sdk/client-sts": "^3.930.0",
     "@aws-sdk/credential-providers": "^3.864.0",
     "@aws-sdk/middleware-retry": "^3.374.0",
@@ -84,7 +84,8 @@
   },
   "resolutions": {
     "jsonwebtoken": "^9.0.0",
-    "nan": "v2.22.0"
+    "nan": "v2.22.0",
+    "fast-xml-parser": ">=5.5.6"
   },
   "mocha": {
     "recursive": true,
diff --git a/tests/functional/aws-node-sdk/test/bucket/head.js b/tests/functional/aws-node-sdk/test/bucket/head.js
@@ -21,7 +21,8 @@ describe('HEAD bucket', () => {
                     await s3.send(new HeadBucketCommand({ Bucket: '' }));
                     assert.fail('Expected failure but got success');
                 } catch (err) {
-                    assert.strictEqual(err.message, 'Empty value provided for input HTTP label: Bucket.');
+                    assert.strictEqual(err.$metadata.httpStatusCode, 405);
+                    assert.strictEqual(err.name, 'Unknown');
                 }
             }); 
     });
diff --git a/tests/functional/aws-node-sdk/test/multipleBackend/unknownEndpoint.js b/tests/functional/aws-node-sdk/test/multipleBackend/unknownEndpoint.js
@@ -21,10 +21,7 @@ let s3;
 describe('Requests to ip endpoint not in config', () => {
     withV4(sigCfg => {
         before(() => {
-            bucketUtil = new BucketUtility('default', sigCfg);
-            // change endpoint to endpoint with ip address
-            // not in config
-            bucketUtil.s3.config.endpoint = specifiedEndpoint;
+            bucketUtil = new BucketUtility('default', { ...sigCfg, endpoint: specifiedEndpoint });
             s3 = bucketUtil.s3;
         });
 
diff --git a/tests/functional/aws-node-sdk/test/object/deleteObject.js b/tests/functional/aws-node-sdk/test/object/deleteObject.js
@@ -103,7 +103,7 @@ describe('DELETE object', () => {
             const bucketName = 'testdeleteobjectlockbucket';
             let versionIdOne;
             let versionIdTwo;
-            const retainDate = moment().add(10, 'days');
+            const retainDate = moment().add(10, 'days').toDate();
             
             before(async () => {
                 try {
diff --git a/tests/functional/aws-node-sdk/test/object/get.js b/tests/functional/aws-node-sdk/test/object/get.js
@@ -224,18 +224,6 @@ describe('GET object', () => {
                 await s3.send(new DeleteBucketCommand({ Bucket: bucketName }));
         });
 
-
-        it('should return an error to get request without a valid ' +
-        'bucket name',
-            done => {
-                s3.send(new GetObjectCommand({ Bucket: '', Key: 'somekey' })).then(() => {
-                    assert.fail('Expected failure but got success');
-                }).catch(err => {
-                    assert.strictEqual(err.message, 'Empty value provided for input HTTP label: Bucket.');
-                    return done();
-                });
-            });
-
         it('should return NoSuchKey error when no such object',
             done => {
                 s3.send(new GetObjectCommand({ Bucket: bucketName, Key: 'nope' })).then(() => {
@@ -1073,7 +1061,7 @@ describeSkipIfCeph('GET object with object lock', () => {
             const params = {
                 Bucket: bucket,
                 Key: key,
-                ObjectLockRetainUntilDate: mockDate,
+                ObjectLockRetainUntilDate: mockDate.toDate(),
                 ObjectLockMode: mockMode,
                 ObjectLockLegalHoldStatus: 'ON',
             };
diff --git a/tests/functional/aws-node-sdk/test/object/objectHead.js b/tests/functional/aws-node-sdk/test/object/objectHead.js
@@ -556,7 +556,7 @@ describeSkipIfCeph('HEAD object with object lock', () => {
             const params = {
                 Bucket: bucket,
                 Key: key,
-                ObjectLockRetainUntilDate: mockDate,
+                ObjectLockRetainUntilDate: mockDate.toDate(),
                 ObjectLockMode: mockMode,
                 ObjectLockLegalHoldStatus: 'ON',
             };
diff --git a/tests/functional/aws-node-sdk/test/object/putRetention.js b/tests/functional/aws-node-sdk/test/object/putRetention.js
@@ -21,7 +21,7 @@ const objectName = 'putobjectretentionobject';
 
 const retentionConfig = {
     Mode: 'GOVERNANCE',
-    RetainUntilDate: moment().add(1, 'd').add(123, 'ms'),
+    RetainUntilDate: moment().add(1, 'd').add(123, 'ms').toDate(),
 };
 
 const isCEPH = process.env.CI_CEPH !== undefined;
diff --git a/yarn.lock b/yarn.lock
