Skip to content

fix(deps): update fast-xml-parser to 5.5.7#1703

Merged
jennifer-shehane merged 1 commit intocypress-io:masterfrom
MikeMcC399:npm-audit-fix
Mar 20, 2026
Merged

fix(deps): update fast-xml-parser to 5.5.7#1703
jennifer-shehane merged 1 commit intocypress-io:masterfrom
MikeMcC399:npm-audit-fix

Conversation

@MikeMcC399
Copy link
Collaborator

@MikeMcC399 MikeMcC399 commented Mar 20, 2026
edited by cursor bot
Loading

Situation

npm audit shows vulnerabilities in transient dependencies:

$ npm audit
# npm audit report

fast-xml-parser  4.0.0-beta.3 - 5.5.6
Severity: moderate
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser - https://github.com/advisories/GHSA-jp2q-39xq-3w4g
fix available via `npm audit fix`
node_modules/fast-xml-parser

flatted  <=3.4.1
Severity: high
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

2 vulnerabilities (1 moderate, 1 high)

To address all issues, run:
  npm audit fix

Changes in dependencies in this repo cannot currently be handled by Renovate, since workflows are unable to rebuild the action automatically.

Change

Use npm audit fix to update to:

Note

Medium Risk
Updates bundled third-party parsing code and the generated dist/index.js, which could subtly change runtime behavior despite being a dependency-only security update.

Overview
Updates transitive dependencies to address npm audit findings, bumping fast-xml-parser to 5.5.7 (and strnum) and flatted to 3.4.2 in package-lock.json.

Regenerates the bundled action artifact (dist/index.js) to vendor the updated dependency code, including tightened entity-expansion limit handling and related parsing changes from the upstream libraries.

Written by Cursor Bugbot for commit c38f041. This will update automatically on new commits. Configure here.

@MikeMcC399
fix(deps): update fast-xml-parser to 5.5.7
c38f041 
Update also transient dependency
flatted to 3.4.2
@MikeMcC399 MikeMcC399 added bug Something isn't working type: dependencies labels Mar 20, 2026
@cypress-app-bot
Copy link

cypress-app-bot commented Mar 20, 2026

@MikeMcC399 MikeMcC399 self-assigned this Mar 20, 2026
@MikeMcC399 MikeMcC399 marked this pull request as ready for review March 20, 2026 06:15
@jennifer-shehane jennifer-shehane merged commit 4c06c48 into cypress-io:master Mar 20, 2026
89 checks passed
@github-actions
Copy link

github-actions bot commented Mar 20, 2026

🎉 This PR is included in version 7.1.8 🎉

The release is available on:

Your semantic-release bot 📦🚀

@MikeMcC399 MikeMcC399 deleted the npm-audit-fix branch March 20, 2026 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jennifer-shehane jennifer-shehane jennifer-shehane approved these changes

Assignees

@MikeMcC399 MikeMcC399

Labels

bug Something isn't working released type: dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MikeMcC399 @cypress-app-bot @jennifer-shehane