Skip to content

Commit ed6ec1d

Browse files
authored
fix(security): pin fast-xml-parser to 5.5.8 to unblock S3 release publish (#2096)
* fix(security): pin fast-xml-parser to 5.5.8 to unblock release 5.7.0/5.7.1 introduced a breaking EntityReplacer that rejects '#' in entity names, which breaks @aws-sdk/xml-builder's parser.addEntity('#xD', '\r') call path and fails every S3 response parse done by @electron-forge/publisher-s3. Upstream tracking: NaturalIntelligence/fast-xml-parser#823 and aws/aws-sdk-js-v3#7949. No patched 5.7.x is available yet, so roll the override back to the last known-good 5.5.8 (the version @aws-sdk/xml-builder itself pins). Revisit once upstream ships >=5.7.2 with addEntity('#xD', ...) support restored. * chore(security): ignore GHSA-gh4j-gqv2-49f6 on pinned fast-xml-parser Pair with the 5.5.8 pin. The advisory only affects XMLBuilder.buildComment / buildCdata when callers pass unescaped user input; this repo does not use those APIs — the AWS SDK only parses responses. Ignore both the GHSA and its CVE alias (CVE-2026-41650) with a reason string so future reviewers see the rollback rationale inline.
1 parent 9e810bc commit ed6ec1d

3 files changed

Lines changed: 29 additions & 12 deletions

File tree

.grype.yaml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,3 +23,26 @@ exclude:
2323
- '**/test-videos/**'
2424
- '**/.vite/**'
2525
- '**/.cache/**'
26+
27+
ignore:
28+
# Scoped to version 5.5.8 so the ignore stops applying automatically as soon
29+
# as the pin in pnpm.overrides is bumped to a non-regressing upstream release.
30+
- vulnerability: GHSA-gh4j-gqv2-49f6
31+
package:
32+
name: fast-xml-parser
33+
version: 5.5.8
34+
type: npm
35+
reason: >-
36+
Pinned to 5.5.8 because 5.7.0/5.7.1 break @aws-sdk/xml-builder
37+
(see https://github.com/NaturalIntelligence/fast-xml-parser/issues/823),
38+
which in turn breaks @electron-forge/publisher-s3 during release.
39+
The advisory only affects XMLBuilder.buildComment / buildCdata with
40+
unescaped user input; this repo does not use those APIs. Revisit once
41+
upstream ships a non-regressing patch (>=5.7.2).
42+
- vulnerability: CVE-2026-41650
43+
package:
44+
name: fast-xml-parser
45+
version: 5.5.8
46+
type: npm
47+
reason: >-
48+
Same advisory as GHSA-gh4j-gqv2-49f6. See note above.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,7 @@
174174
"overrides": {
175175
"@hono/node-server": ">=1.19.13",
176176
"@xmldom/xmldom": ">=0.9.10",
177-
"fast-xml-parser": ">=5.7.0",
177+
"fast-xml-parser": "5.5.8",
178178
"dompurify": ">=3.4.0",
179179
"hono": ">=4.12.14",
180180
"lodash": ">=4.18.0",

pnpm-lock.yaml

Lines changed: 5 additions & 11 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)