Skip to content

deps: update fast-xml-parser to 5.3.4 due to security vulnerability #2710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yosefrev wants to merge 1 commit into
base: main
Choose a base branch
from
Open

deps: update fast-xml-parser to 5.3.4 due to security vulnerability #2710

yosefrev wants to merge 1 commit into from
+1 −1

Conversation

@yosefrev
Copy link

@yosefrev yosefrev commented Feb 1, 2026

Fixes GHSA-37qj-frw5-hhjh CVE, which affects versions 4.3.6 through 5.3.3. The vulnerability causes a RangeError when parsing numeric XML entities with out-of-range code points, which affects audit checks.

Fixes #2709

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

Description

Update fast-xml-parser version to ^5.3.4 because of the CVE above

Please provide a detailed description for the change.
As much as possible, please try to keep changes separate by purpose. For example, try not to make a one-line bug fix in a feature request, or add an irrelevant README change to a bug fix.

Impact

What's the impact of this change?
There is a vulnerability in fast-xml-parser when parsing numeric XML entities. I have updated fast-xml-parser from ^4.4.1 to ^5.3.4. This will allow audit checks to succeed.

Testing

Have you added unit and integration tests if necessary? no
Were any tests changed? Are any breaking changes necessary? no

Additional Information

Any additional details that we should be aware of?

Checklist

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease
  • Appropriate docs were updated
  • Appropriate comments were added, particularly in complex areas or places that require background
  • No new warnings or issues will be generated from this change

Fixes #2709 🦕

@yosefrev
deps: update fast-xml-parser to 5.3.4 due to security vulnerability
75805ca 
Fixes GHSA-37qj-frw5-hhjh which affects versions 4.3.6 through 5.3.3.
The vulnerability causes a RangeError when parsing numeric XML entities
with out-of-range code points.

Fixes googleapis#2709
@yosefrev yosefrev requested review from a team as code owners February 1, 2026 00:13
@google-cla
Copy link

google-cla bot commented Feb 1, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@product-auto-label product-auto-label bot added size: xs Pull request size is extra small. api: storage Issues related to the googleapis/nodejs-storage API. labels Feb 1, 2026
@ddelgrosso1 ddelgrosso1 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@ddelgrosso1 ddelgrosso1 added the owlbot:run Add this label to trigger the Owlbot post processor. label Feb 2, 2026
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Feb 2, 2026
@ddelgrosso1 ddelgrosso1 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@ddelgrosso1 ddelgrosso1 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@chrstrock
Copy link

chrstrock commented Feb 2, 2026

What needs to happen to get this merged?

@Pulkit0110 Pulkit0110 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 3, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 3, 2026
@Pulkit0110
Copy link
Member

Pulkit0110 commented Feb 3, 2026

What needs to happen to get this merged?

Currently the samples test and system test are failing. Once these are fixed, you'll be able to merge the PR. We're working on fixing the tests, I'll let you know once the tests are fixed.

Thanks!

@poman31 poman31 mentioned this pull request Feb 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

4 more reviewers

@e-oz e-oz e-oz approved these changes

@JohannesNicholas JohannesNicholas JohannesNicholas approved these changes

@garethstaite garethstaite garethstaite approved these changes

@xe69iqjU5D xe69iqjU5D xe69iqjU5D approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@Pulkit0110 Pulkit0110

Labels

api: storage Issues related to the googleapis/nodejs-storage API. size: xs Pull request size is extra small.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security vulnerability with fast-xml-parser dependency

9 participants

@yosefrev @chrstrock @Pulkit0110 @e-oz @JohannesNicholas @garethstaite @xe69iqjU5D @yoshi-kokoro @ddelgrosso1