Skip to content

fix(deps): resolve fast-xml-parser stack overflow vulnerability#999

Open
sarayev wants to merge 1 commit intomainfrom
fix/dependabot-fast-xml-parser
Open

fix(deps): resolve fast-xml-parser stack overflow vulnerability#999
sarayev wants to merge 1 commit intomainfrom
fix/dependabot-fast-xml-parser

Conversation

@sarayev
Copy link
Contributor

@sarayev sarayev commented Mar 6, 2026

Summary

Resolves Dependabot alert for fast-xml-parser stack overflow vulnerability.

Changes

  • Added scoped yarn resolution: "**/@aws-sdk/xml-builder/fast-xml-parser": "5.4.1"
  • @aws-sdk/xml-builder pins an exact older version; resolution overrides it to the patched release

Strategy

Traced via yarn why: @aws-sdk/core@aws-sdk/xml-builderfast-xml-parser@5.3.6 (pinned exact). Direct bump not possible — resolution required.

Verification

  • lerna run build
  • lerna run test
  • yarn extract-dependency-licenses
  • Cloud E2E: 29/30 passed (1 failure in cleanup_e2e_resources — infra cleanup, not a real test)

@sarayev sarayev requested a review from a team as a code owner March 6, 2026 15:41
@sarayev
fix: bump fast-xml-parser to 5.3.8 to resolve CVE-2026-27942
c67a283 
Adds a resolution to upgrade fast-xml-parser from 5.3.6 to 5.3.8
to fix stack overflow in XMLBuilder with preserveOrder (CVE-2026-27942).
Transitive dependency of @aws-sdk/xml-builder.

Resolves Dependabot alert #134.
@sarayev sarayev force-pushed the fix/dependabot-fast-xml-parser branch from 911567f to c67a283 Compare March 6, 2026 19:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sarayev