Backport CVE-2026-25896 fix to 4.x

[yuezk]

Hi,

I see the fix has been shipped in 5.3.5. Is there any plan to backport the fix for CVE-2026-25896 to 4.x?

fast-xml-parser is a transitive dependency of adaptive-expressions package provided by Microsoft. But that package's upstream repo has been archved and there is no supported migration path or replacement package published for this dependency chain. So I cannot report issue there to request them to upgrade fast-xml-parser to 5.x. So, I'm open an issue to try my luck here, do we have any plan on this?

Thanks.

[github-actions]

We're glad you find this project helpful. We'll try to address this issue ASAP. You can vist https://solothought.com to know recent features. Don't forget to star this repo.

[amitguptagwl]

Unfortunately, npm doesn't allow to publish old versions. But if you disable entities in case if you're not using them then it'll not impact you.

[yuezk]

Unfortunately, npm doesn't allow to publish old versions.

Hi @amitguptagwl, I didn't quite get that. As I understand, npm allow publish multiple major versions (e.g., 1.x and 2.x packages) via dist tag. See the expressjs package for example: https://www.npmjs.com/package/express?activeTab=versions. Both 4.x and 5.x are actively maintained.

[amitguptagwl]

let me try. give me some hours

[amitguptagwl]

done. please check

[yuezk]

Thanks @amitguptagwl 👍