Skip to content
This repository was archived by the owner on Mar 3, 2026. It is now read-only.

deps: update fast-xml-parser to 5.3.4 due to security vulnerability#2710

Closed
yosefrev wants to merge 1 commit intogoogleapis:mainfrom
yosefrev:fix/fast-xml-parser-security
Closed

deps: update fast-xml-parser to 5.3.4 due to security vulnerability#2710
yosefrev wants to merge 1 commit intogoogleapis:mainfrom
yosefrev:fix/fast-xml-parser-security

Conversation

@yosefrev
Copy link
Copy Markdown

@yosefrev yosefrev commented Feb 1, 2026

Fixes GHSA-37qj-frw5-hhjh CVE, which affects versions 4.3.6 through 5.3.3. The vulnerability causes a RangeError when parsing numeric XML entities with out-of-range code points, which affects audit checks.

Fixes #2709

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

Description

Update fast-xml-parser version to ^5.3.4 because of the CVE above

Please provide a detailed description for the change.
As much as possible, please try to keep changes separate by purpose. For example, try not to make a one-line bug fix in a feature request, or add an irrelevant README change to a bug fix.

Impact

What's the impact of this change?
There is a vulnerability in fast-xml-parser when parsing numeric XML entities. I have updated fast-xml-parser from ^4.4.1 to ^5.3.4. This will allow audit checks to succeed.

Testing

Have you added unit and integration tests if necessary? no
Were any tests changed? Are any breaking changes necessary? no

Additional Information

Any additional details that we should be aware of?

Checklist

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease
  • Appropriate docs were updated
  • Appropriate comments were added, particularly in complex areas or places that require background
  • No new warnings or issues will be generated from this change

Fixes #2709 🦕

@yosefrev
deps: update fast-xml-parser to 5.3.4 due to security vulnerability
75805ca 
Fixes GHSA-37qj-frw5-hhjh which affects versions 4.3.6 through 5.3.3.
The vulnerability causes a RangeError when parsing numeric XML entities
with out-of-range code points.

Fixes googleapis#2709
@yosefrev yosefrev requested review from a team February 1, 2026 00:13
@google-cla
Copy link
Copy Markdown

google-cla Bot commented Feb 1, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@product-auto-label product-auto-label Bot added size: xs Pull request size is extra small. api: storage Issues related to the googleapis/nodejs-storage API. labels Feb 1, 2026
@ddelgrosso1 ddelgrosso1 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@ddelgrosso1 ddelgrosso1 added the owlbot:run Add this label to trigger the Owlbot post processor. label Feb 2, 2026
@gcf-owl-bot gcf-owl-bot Bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Feb 2, 2026
@ddelgrosso1 ddelgrosso1 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@ddelgrosso1 ddelgrosso1 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 2, 2026
@chrstrock
Copy link
Copy Markdown

chrstrock commented Feb 2, 2026

What needs to happen to get this merged?

@Pulkit0110 Pulkit0110 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 3, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 3, 2026
@Pulkit0110
Copy link
Copy Markdown

Pulkit0110 commented Feb 3, 2026

What needs to happen to get this merged?

Currently the samples test and system test are failing. Once these are fixed, you'll be able to merge the PR. We're working on fixing the tests, I'll let you know once the tests are fixed.

Thanks!

@poman31 poman31 mentioned this pull request Feb 3, 2026
Closed
@Pulkit0110
Copy link
Copy Markdown

Pulkit0110 commented Feb 5, 2026

#2713 is merged which also had the changes. I think we can close this PR

@yosefrev
Copy link
Copy Markdown
Author

yosefrev commented Feb 5, 2026

Already merged by #2713

@yosefrev yosefrev closed this Feb 5, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

4 more reviewers

@e-oz e-oz e-oz approved these changes

@JohannesNicholas JohannesNicholas JohannesNicholas approved these changes

@garethstaite garethstaite garethstaite approved these changes

@xe69iqjU5D xe69iqjU5D xe69iqjU5D approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Pulkit0110 Pulkit0110

Labels

api: storage Issues related to the googleapis/nodejs-storage API. size: xs Pull request size is extra small.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security vulnerability with fast-xml-parser dependency

9 participants

@yosefrev @chrstrock @Pulkit0110 @e-oz @JohannesNicholas @garethstaite @xe69iqjU5D @yoshi-kokoro @ddelgrosso1