Build(deps): Bump fast-xml-parser from 5.3.6 to 5.4.1 by dependabot[bot] · Pull Request #265 · github/local-action

dependabot · 2026-03-01T00:36:31Z

Bumps fast-xml-parser from 5.3.6 to 5.4.1.

Release notes

Sourced from fast-xml-parser's releases.

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From
import { XMLBuilder } from "fast-xml-parser";
To
import  XMLBuilder  from "fast-xml-builder";
XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

support strictReservedNames

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

handle non-array input for XML builder && support maxNestedTags

support maxNestedTags

handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)

save use of js properies Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.7...v5.3.8

CJS typing fix

What's Changed

Unexport X2jOptions at declaration site by @Drarig29 in NaturalIntelligence/fast-xml-parser#787

New Contributors

@Drarig29 made their first contribution in NaturalIntelligence/fast-xml-parser#787

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.7

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.4.1 / 2026-02-25

fix (#785) unpairedTag node should not have tag content

5.4.0 / 2026-02-25

migrate to fast-xml-builder

5.3.9 / 2026-02-25

support strictReservedNames

5.3.8 / 2026-02-25

support maxNestedTags

handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)

save use of js properies

5.3.7 / 2026-02-20

fix typings for CJS (By Corentin Girard)

5.3.6 / 2026-02-14

Improve security and performance of entity processing

new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter

fast return when no edtity is present

improvement replacement logic to reduce number of calls

5.3.5 / 2026-02-08

fix: Escape regex char in entity name

update strnum to 2.1.2

add missing exports in CJS typings

5.3.4 / 2026-01-30

fix: handle HTML numeric and hex entities when out of range

5.3.3 / 2025-12-12

fix #775: transformTagName with allowBooleanAttributes adds an unnecessary attribute

5.3.2 / 2025-11-14

fix for import statement for v6

5.3.1 / 2025-11-03

Performance improvement for stopNodes (By Maciek Lamberski)

5.3.0 / 2025-10-03

... (truncated)

Commits

4e7ca80 update release info
36023b4 fix (#785) unpairedTag node should not have tag content
b366026 separate builder
6f333a8 update release info
c3ffbab support strictReservedNames
c692040 update release info
107e34c avoid {} to create an empty object
60835a4 support maxNestedTags
f55657c avoid direct call to hasOwnProperty
c13a961 handle non-array input for XML builder when preserveOrder is true
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.6 to 5.4.1. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v5.3.6...v5.4.1) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.4.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-03-01T00:39:48Z

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	5	0	0	0.22s
✅ JAVASCRIPT	prettier	19	0	0	1.11s
✅ JSON	npm-package-json-lint	yes	no	no	3.51s
✅ JSON	prettier	29	0	0	1.46s
✅ MARKDOWN	markdownlint	10	0	0	1.37s
✅ REPOSITORY	checkov	yes	no	no	32.09s
✅ REPOSITORY	gitleaks	yes	no	no	2.08s
✅ REPOSITORY	git_diff	yes	no	no	0.02s
❌ REPOSITORY	grype	yes	9	no	60.7s
✅ REPOSITORY	secretlint	yes	no	no	1.55s
✅ REPOSITORY	syft	yes	no	no	4.76s
❌ REPOSITORY	trivy	yes	1	no	16.56s
✅ REPOSITORY	trivy-sbom	yes	no	no	5.86s
✅ REPOSITORY	trufflehog	yes	no	no	46.71s
✅ TYPESCRIPT	prettier	108	0	0	4.02s
✅ YAML	prettier	25	0	0	1.2s
✅ YAML	yamllint	25	0	0	0.83s

Detailed Issues

❌ REPOSITORY / grype - 9 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME       INSTALLED  FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS           RISK   
minimatch  3.1.2      3.1.3     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (16th)  < 0.1  
minimatch  5.1.6      5.1.7     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (16th)  < 0.1  
minimatch  9.0.5      9.0.6     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (16th)  < 0.1  
minimatch  3.1.2      3.1.3     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (14th)  < 0.1  
minimatch  5.1.6      5.1.8     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (14th)  < 0.1  
minimatch  9.0.5      9.0.7     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (14th)  < 0.1  
minimatch  3.1.2      3.1.4     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (11th)  < 0.1  
minimatch  5.1.6      5.1.8     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (11th)  < 0.1  
minimatch  9.0.5      9.0.7     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (11th)  < 0.1
[0060] ERROR discovered vulnerabilities at or above the severity threshold

❌ REPOSITORY / trivy - 1 error

2026-03-01T00:38:44Z	INFO	[vulndb] Need to update DB
2026-03-01T00:38:44Z	INFO	[vulndb] Downloading vulnerability DB...
2026-03-01T00:38:44Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
13.64 MiB / 86.54 MiB [--------->___________________________________________________] 15.76% ? p/s ?37.92 MiB / 86.54 MiB [-------------------------->__________________________________] 43.82% ? p/s ?68.81 MiB / 86.54 MiB [------------------------------------------------>____________] 79.52% ? p/s ?84.53 MiB / 86.54 MiB [--------------------------------------------->_] 97.68% 118.14 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [--------------------------------------------->] 100.00% 118.14 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [--------------------------------------------->] 100.00% 118.14 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [--------------------------------------------->] 100.00% 110.74 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [--------------------------------------------->] 100.00% 110.74 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [--------------------------------------------->] 100.00% 110.74 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [--------------------------------------------->] 100.00% 103.59 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [--------------------------------------------->] 100.00% 103.59 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [--------------------------------------------->] 100.00% 103.59 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 96.91 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 96.91 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 96.91 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 90.66 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 90.66 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 90.66 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 84.81 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 84.81 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 84.81 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 79.34 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 79.34 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 79.34 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 74.22 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 74.22 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 74.22 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 69.43 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 69.43 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 69.43 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 64.95 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 64.95 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [---------------------------------------------->] 100.00% 64.95 MiB p/s ETA 0s86.54 MiB / 86.54 MiB [-------------------------------------------------] 100.00% 13.25 MiB p/s 6.7s2026-03-01T00:38:51Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-03-01T00:38:51Z	INFO	[vuln] Vulnerability scanning is enabled
2026-03-01T00:38:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-03-01T00:38:51Z	INFO	[checks-client] Need to update the checks bundle
2026-03-01T00:38:51Z	INFO	[checks-client] Downloading the checks bundle...
235.65 KiB / 235.65 KiB [--------------------------------------------------------->] 100.00% ? p/s ?235.65 KiB / 235.65 KiB [----------------------------------------------] 100.00% 12.51 MiB p/s 200ms2026-03-01T00:39:00Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2026-03-01T00:39:00Z	INFO	Number of language-specific files	num=1
2026-03-01T00:39:00Z	INFO	[npm] Detecting vulnerabilities...
2026-03-01T00:39:00Z	INFO	Detected config files	num=0

Report Summary

┌───────────────────┬──────┬─────────────────┬───────────────────┐
│      Target       │ Type │ Vulnerabilities │ Misconfigurations │
├───────────────────┼──────┼─────────────────┼───────────────────┤
│ package-lock.json │ npm  │        9        │         -         │
└───────────────────┴──────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


package-lock.json (npm)
=======================
Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 9, CRITICAL: 0)

┌───────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Status │ Installed Version │                      Fixed Version                      │                          Title                           │
├───────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ minimatch │ CVE-2026-26996 │ HIGH     │ fixed  │ 3.1.2             │ 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 │ minimatch: minimatch: Denial of Service via specially    │
│           │                │          │        │                   │                                                         │ crafted glob patterns                                    │
│           │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-26996               │
│           ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│           │ CVE-2026-27903 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 │ minimatch: minimatch: Denial of Service due to unbounded │
│           │                │          │        │                   │                                                         │ recursive backtracking via crafted...                    │
│           │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27903               │
│           ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│           │ CVE-2026-27904 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 │ minimatch: Minimatch: Denial of Service via catastrophic │
│           │                │          │        │                   │                                                         │ backtracking in glob expressions                         │
│           │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27904               │
│           ├────────────────┤          │        ├───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│           │ CVE-2026-26996 │          │        │ 5.1.6             │ 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 │ minimatch: minimatch: Denial of Service via specially    │
│           │                │          │        │                   │                                                         │ crafted glob patterns                                    │
│           │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-26996               │
│           ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│           │ CVE-2026-27903 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 │ minimatch: minimatch: Denial of Service due to unbounded │
│           │                │          │        │                   │                                                         │ recursive backtracking via crafted...                    │
│           │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27903               │
│           ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│           │ CVE-2026-27904 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 │ minimatch: Minimatch: Denial of Service via catastrophic │
│           │                │          │        │                   │                                                         │ backtracking in glob expressions                         │
│           │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27904               │
│           ├────────────────┤          │        ├───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│           │ CVE-2026-26996 │          │        │ 9.0.5             │ 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 │ minimatch: minimatch: Denial of Service via specially    │
│           │                │          │        │                   │                                                         │ crafted glob patterns                                    │
│           │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-26996               │
│           ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│           │ CVE-2026-27903 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 │ minimatch: minimatch: Denial of Service due to unbounded │
│           │                │          │        │                   │                                                         │ recursive backtracking via crafted...                    │
│           │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27903               │
│           ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│           │ CVE-2026-27904 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 │ minimatch: Minimatch: Denial of Service via catastrophic │
│           │                │          │        │                   │                                                         │ backtracking in glob expressions                         │
│           │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27904               │
└───────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────┘

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository

dependabot bot added dependabot Dependabot issues and PRs npm Node.js issues and PRs labels Mar 1, 2026

dependabot bot requested a review from ncalteen as a code owner March 1, 2026 00:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build(deps): Bump fast-xml-parser from 5.3.6 to 5.4.1#265

Build(deps): Bump fast-xml-parser from 5.3.6 to 5.4.1#265
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/fast-xml-parser-5.4.1

dependabot bot commented on behalf of github Mar 1, 2026

Uh oh!

github-actions bot commented Mar 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 1, 2026

Separate Builder

Migration

support strictReservedNames

handle non-array input for XML builder && support maxNestedTags

CJS typing fix

What's Changed

New Contributors

Uh oh!

github-actions bot commented Mar 1, 2026

❌MegaLinter analysis: Error

Detailed Issues

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants