Skip to content
This repository has been archived by the owner on Feb 6, 2024. It is now read-only.

fix(deps): update dependency fast-xml-parser to v4 [security] #526

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 6, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
fast-xml-parser 3.21.1 -> 4.1.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-26920

Impact

As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.

const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");

let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"

const parser = new XMLParser();
let jObj = parser.parse(XMLdata);

console.log(jObj.polluted) // should return hacked

Patches

The problem has been patched in v4.1.2

Workarounds

User can check for "proto" in the XML string before parsing it to the parser.

References

https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7


Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v4.1.2

Compare Source

v4.1.1

Compare Source

v4.1.0

Compare Source

v4.0.15

Compare Source

v4.0.14

Compare Source

v4.0.13

Compare Source

v4.0.12

Compare Source

v4.0.11

Compare Source

v4.0.10

Compare Source

v4.0.9

Compare Source

v4.0.8

Compare Source

v4.0.7

Compare Source

v4.0.6

Compare Source

v4.0.5

Compare Source

v4.0.4

Compare Source

v4.0.3

Compare Source

v4.0.2

Compare Source

v4.0.1

Compare Source

v4.0.0: v4

Compare Source

  • Generating different combined, parser only, builder only, validator only browser bundles
  • Keeping cjs modules as they can be imported in cjs and esm modules both. Otherwise refer esm branch.

4.0.0-beta.8 / 2021-12-13

  • call tagValueProcessor for stop nodes

4.0.0-beta.7 / 2021-12-09

  • fix Validator bug when an attribute has no value but '=' only
  • XML Builder should suppress unpaired tags by default.
  • documents update for missing features
  • refactoring to use Object.assign
  • refactoring to remove repeated code

4.0.0-beta.6 / 2021-12-05

  • Support PI Tags processing
  • Support suppressBooleanAttributes by XML Builder for attributes with value true.

4.0.0-beta.5 / 2021-12-04

  • fix: when a tag with name "attributes"

4.0.0-beta.4 / 2021-12-02

  • Support HTML document parsing
  • skip stop nodes parsing when building the XML from JS object
  • Support external entites without DOCTYPE
  • update dev dependency: strnum v1.0.5 to fix long number issue

4.0.0-beta.3 / 2021-11-30

  • support global stopNodes expression like "*.stop"
  • support self-closing and paired unpaired tags
  • fix: CDATA should not be parsed.
  • Fix typings for XMLBuilder (#​396)(By Anders Emil Salvesen)
  • supports XML entities, HTML entities, DOCTYPE entities

⚠️ 4.0.0-beta.2 / 2021-11-19

  • rename attrMap to attibutes in parser output when preserveOrder:true
  • supports unpairedTags

⚠️ 4.0.0-beta.1 / 2021-11-18

  • Parser returns an array now
    • to make the structure common
    • and to return root level detail
  • renamed cdataTagName to cdataPropName
  • Added commentPropName
  • fix typings

⚠️ 4.0.0-beta.0 / 2021-11-16

  • Name change of many configuration properties.
    • attrNodeName to attributesGroupName
    • attrValueProcessor to attributeValueProcessor
    • parseNodeValue to parseTagValue
    • ignoreNameSpace to removeNSPrefix
    • numParseOptions to numberParseOptions
    • spelling correction for suppressEmptyNode
  • Name change of cli and browser bundle to fxparser
  • isArray option is added to parse a tag into array
  • preserveOrder option is added to render XML in such a way that the result js Object maintains the order of properties same as in XML.
  • Processing behaviour of tagValueProcessor and attributeValueProcessor are changes with extra input parameters
  • j2xparser is renamed to XMLBuilder.
  • You need to build XML parser instance for given options first before parsing XML.
  • fix #​327, #​336: throw error when extra text after XML content
  • fix #​330: attribute value can have '\n',
  • fix #​350: attributes can be separated by '\n' from tagname

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the renovatebot label Jun 6, 2023
@renovate renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 426ee07 to 6981b69 Compare September 15, 2023 00:58
@renovate renovate bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 6981b69 to 3201145 Compare January 22, 2024 19:00
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants