Commit ed6ec1d
authored
fix(security): pin fast-xml-parser to 5.5.8 to unblock S3 release publish (#2096)
* fix(security): pin fast-xml-parser to 5.5.8 to unblock release
5.7.0/5.7.1 introduced a breaking EntityReplacer that rejects '#' in entity names, which breaks @aws-sdk/xml-builder's parser.addEntity('#xD', '\r') call path and fails every S3 response parse done by @electron-forge/publisher-s3.
Upstream tracking: NaturalIntelligence/fast-xml-parser#823 and aws/aws-sdk-js-v3#7949. No patched 5.7.x is available yet, so roll the override back to the last known-good 5.5.8 (the version @aws-sdk/xml-builder itself pins).
Revisit once upstream ships >=5.7.2 with addEntity('#xD', ...) support restored.
* chore(security): ignore GHSA-gh4j-gqv2-49f6 on pinned fast-xml-parser
Pair with the 5.5.8 pin. The advisory only affects XMLBuilder.buildComment / buildCdata when callers pass unescaped user input; this repo does not use those APIs — the AWS SDK only parses responses. Ignore both the GHSA and its CVE alias (CVE-2026-41650) with a reason string so future reviewers see the rollback rationale inline.1 parent 9e810bc commit ed6ec1d
3 files changed
Lines changed: 29 additions & 12 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
23 | 23 | | |
24 | 24 | | |
25 | 25 | | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
174 | 174 | | |
175 | 175 | | |
176 | 176 | | |
177 | | - | |
| 177 | + | |
178 | 178 | | |
179 | 179 | | |
180 | 180 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments