Build(deps): Bump fast-xml-parser from 5.5.7 to 5.9.3 by dependabot[bot] · Pull Request #296 · github/local-action

dependabot · 2026-06-20T08:39:34Z

Bumps fast-xml-parser from 5.5.7 to 5.9.3.

Release notes

Sourced from fast-xml-parser's releases.

v5.9.3

What's Changed

Harden GitHub Actions workflows by @martincostello in NaturalIntelligence/fast-xml-parser#841

GitHub Actions workflow fixes by @martincostello in NaturalIntelligence/fast-xml-parser#844

New Contributors

@martincostello made their first contribution in NaturalIntelligence/fast-xml-parser#841

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.2...v5.9.3

v5.9.2

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.1...v5.9.2

v5.9.1

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.0...v5.9.1

update strnum, use is-unsafe

update strnum to 2.3.0

you can set hex, binary, enotation, infinity, unicode

validate unsafe HTML or XML data in doctype entities unsing 'is-unsafe' library. User can override rules by overriding EntityDecoder.

update strnum, FXB. Use xml-naming for DOCTYPE

integrate xml-naming to validate DOCTYPE entity name and notation name (using qname because of backward compatibility)

This will consider xml-version as well. '1.0' is default

update strnum to 2.3.0

You can set octal and binary parsing which is by deault off

update fast-xml-builder to 1.2.0

can sanitize tag names if found invalid

fix format output

fix minor old bugs and update builder

fix: alwaysCreateTextNode should create text node when attributes are present for self closing node

fix stop node expression when ns prefix is removed (found by iruizsalinas)

update XML Builder to 1.1.7

mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

allow numerical external entity for backward compatibility

fix #705: attributesGroupName working with preserveOrder

fix #817: stackoverflow when tag expression is very long

upgrade @nodable/entities and FXB

Use @nodable/entities v2.1.0

breaking changes

single entity scan. You're not allowed to use entity value to form another entity name.

you cant add numeric external entity

entity error message when expantion limit is crossed might change

typings are updated for new options related to process entity

please follow documentation of @nodable/entities for more detail.

performance

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.9.3 / 2026-06-19

update strnum

*5.9.2 / 2026-06-17

dummy release to test changes in github action

*5.9.1 / 2026-06-17

dummy release to test release from github action

*5.9.0 / 2026-06-15

update strnum to 2.3.0

you can set hex, binary, enotation, infinity, unicode

validate unsafe HTML or XML data in doctype entities unsing 'is-unsafe' library. User can override rules by overriding EntityDecoder.

*5.8.0 / 2026-05-12

integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)

This will consider xml-version as well. '1.0' is default

update strnum to 2.3.0

You can set octal and binary parsing which is bydeault off

update fast-xml-builder to 1.2.0

can sanitize tag names if found invalid

fix format output

5.7.3 / 2006-05-05

fix: alwaysCreateTextNode should create text node when attributes are present for self closing node

fix stop node expression when ns prefix is removed (found by iruizsalinas)

update XML Builder to 1.1.7

mark addEntity deprecated

5.7.2 / 2026-04-25

allow numerical external entity for backward compatibility

fix #705: attributesGroupName working with preserveOrder

fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

fix typo in CJS typing file

5.7.0 / 2026-04-17

Use @nodable/entities v2.1.0

breaking changes

single entity scan. You're not allowed to user entity value to form another entity name.

you cant add numeric external entity

entity error message when expantion limit is crossed might change

... (truncated)

Commits

93a09f1 5.9.3
9c1905e update strnum
8d71292 GitHub Actions workflow fixes (#844)
784a044 Harden GitHub Actions workflows (#841)
bf9b81a 5.9.2
232abf5 update publish action for better security
73411fa update checklist
d57e33b 5.9.1
3be603a testing release from Github
b6c41ea Add GitHub Actions workflow for npm publishing
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for fast-xml-parser since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.5.7 to 5.9.3. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v5.5.7...v5.9.3) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.9.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-06-20T08:43:13Z

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	5	0	0	0.13s
❌ ACTION	zizmor	5	1	0	0.37s
❌ JAVASCRIPT	eslint	19	19	0	9.03s
✅ JAVASCRIPT	prettier	19	0	0	0.67s
✅ JSON	npm-package-json-lint	yes	no	no	0.3s
✅ JSON	prettier	29	0	0	0.54s
✅ MARKDOWN	markdownlint	10	0	0	0.65s
✅ REPOSITORY	checkov	yes	no	no	28.6s
✅ REPOSITORY	gitleaks	yes	no	no	1.24s
✅ REPOSITORY	git_diff	yes	no	no	0.01s
❌ REPOSITORY	grype	yes	13	no	56.57s
❌ REPOSITORY	osv-scanner	yes	27	no	2.23s
✅ REPOSITORY	secretlint	yes	no	no	1.1s
✅ REPOSITORY	syft	yes	no	no	3.1s
❌ REPOSITORY	trivy	yes	1	no	15.53s
✅ REPOSITORY	trivy-sbom	yes	no	no	2.68s
✅ REPOSITORY	trufflehog	yes	no	no	17.82s
❌ TYPESCRIPT	eslint	108	26	0	7.74s
✅ TYPESCRIPT	prettier	108	0	0	2.95s
✅ YAML	prettier	25	0	0	0.82s
✅ YAML	yamllint	25	0	0	0.63s

Detailed Issues

❌ JAVASCRIPT / eslint - 19 errors

__fixtures__/javascript-esm/no-import/src/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/no-import/src/index.js

__fixtures__/javascript-esm/no-import/src/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/no-import/src/main.js

__fixtures__/javascript-esm/success/post/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/post/index.js

__fixtures__/javascript-esm/success/post/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/post/main.js

__fixtures__/javascript-esm/success/pre/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/pre/index.js

__fixtures__/javascript-esm/success/pre/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/pre/main.js

__fixtures__/javascript-esm/success/src/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/src/index.js

__fixtures__/javascript-esm/success/src/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/src/main.js

__fixtures__/javascript/no-export/src/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/no-export/src/index.js

__fixtures__/javascript/no-export/src/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/no-export/src/main.js

__fixtures__/javascript/no-import/src/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/no-import/src/index.js

__fixtures__/javascript/no-import/src/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/no-import/src/main.js

__fixtures__/javascript/success/post/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/post/index.js

__fixtures__/javascript/success/post/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/post/main.js

__fixtures__/javascript/success/pre/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/pre/index.js

__fixtures__/javascript/success/pre/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/pre/main.js

__fixtures__/javascript/success/src/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/src/index.js

__fixtures__/javascript/success/src/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/src/main.js

bin/local-action.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): bin/local-action.js

✖ 19 problems (19 errors, 0 warnings)

❌ TYPESCRIPT / eslint - 26 errors

has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/no-export/src/index.ts

__fixtures__/typescript-esm/no-export/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/no-export/src/main.ts

__fixtures__/typescript-esm/no-import/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/no-import/src/index.ts

__fixtures__/typescript-esm/no-import/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/no-import/src/main.ts

__fixtures__/typescript-esm/success/post/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/post/index.ts

__fixtures__/typescript-esm/success/post/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/post/main.ts

__fixtures__/typescript-esm/success/pre/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/pre/index.ts

__fixtures__/typescript-esm/success/pre/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/pre/main.ts

__fixtures__/typescript-esm/success/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/src/index.ts

__fixtures__/typescript-esm/success/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/src/main.ts

__fixtures__/typescript-esm/tsconfig-comments/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/tsconfig-comments/src/index.ts

__fixtures__/typescript-esm/tsconfig-comments/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/tsconfig-comments/src/main.ts

__fixtures__/typescript/no-import/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/no-import/src/index.ts

__fixtures__/typescript/no-import/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/no-import/src/main.ts

__fixtures__/typescript/success-yaml/post/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/post/index.ts

__fixtures__/typescript/success-yaml/post/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/post/main.ts

__fixtures__/typescript/success-yaml/pre/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/pre/index.ts

__fixtures__/typescript/success-yaml/pre/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/pre/main.ts

__fixtures__/typescript/success-yaml/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/src/index.ts

__fixtures__/typescript/success-yaml/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/src/main.ts

__fixtures__/typescript/success/post/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/post/index.ts

__fixtures__/typescript/success/post/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/post/main.ts

__fixtures__/typescript/success/pre/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/pre/index.ts

__fixtures__/typescript/success/pre/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/pre/main.ts

__fixtures__/typescript/success/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/src/index.ts

__fixtures__/typescript/success/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/src/main.ts

✖ 26 problems (26 errors, 0 warnings)

(Truncated to last 6666 characters out of 6769)

❌ REPOSITORY / grype - 13 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME             INSTALLED  FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS         RISK   
lodash           4.17.23    4.18.0    npm   GHSA-r5fr-rjxr-66jc  High      1.0% (59th)  0.8    
brace-expansion  1.1.12     1.1.13    npm   GHSA-f886-m6hf-6m8v  Medium    0.4% (34th)  0.2    
brace-expansion  2.0.2      2.0.3     npm   GHSA-f886-m6hf-6m8v  Medium    0.4% (34th)  0.2    
yaml             2.8.2      2.8.3     npm   GHSA-48c2-rrv3-qjmp  Medium    0.5% (36th)  0.2    
undici           7.24.4     7.28.0    npm   GHSA-vxpw-j846-p89q  High      0.3% (19th)  0.2    
lodash           4.17.23    4.18.0    npm   GHSA-f23m-r3pf-42rh  Medium    0.3% (21st)  0.2    
undici           7.24.4     7.28.0    npm   GHSA-vmh5-mc38-953g  High      0.2% (9th)   0.1    
undici           7.24.4     7.28.0    npm   GHSA-pr7r-676h-xcf6  Medium    0.2% (13th)  0.1    
undici           7.24.4     7.28.0    npm   GHSA-p88m-4jfj-68fv  Medium    0.2% (10th)  0.1    
undici           7.24.4     7.28.0    npm   GHSA-hm92-r4w5-c3mj  High      0.1% (4th)   0.1    
undici           7.24.4     7.28.0    npm   GHSA-g8m3-5g58-fq7m  Low       0.2% (9th)   < 0.1  
undici           7.24.4     7.28.0    npm   GHSA-35p6-xmwp-9g52  Low       0.2% (7th)   < 0.1  
esbuild          0.27.3     0.28.1    npm   GHSA-g7r4-m6w7-qqqr  Low       N/A          N/A
[0056] ERROR discovered vulnerabilities at or above the severity threshold

❌ REPOSITORY / osv-scanner - 27 errors

Scanning dir .
Starting filesystem walk for root: /
Scanned package-lock.json file and found 614 packages
End status: 121 dirs visited, 384 inodes visited, 1 Extract calls, 30.737697ms elapsed, 30.737877ms wall time

Total 15 packages affected by 27 known vulnerabilities (0 Critical, 9 High, 14 Medium, 4 Low, 0 Unknown) from 1 ecosystem.
27 vulnerabilities can be fixed.

+-------------------------------------+------+-----------+-----------------------+---------+---------------+-------------------+
| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE               | VERSION | FIXED VERSION | SOURCE            |
+-------------------------------------+------+-----------+-----------------------+---------+---------------+-------------------+
| https://osv.dev/GHSA-4x5r-pxfx-6jf8 | 3.2  | npm       | @babel/core (dev)     | 7.29.0  | 7.29.6        | package-lock.json |
| https://osv.dev/GHSA-f886-m6hf-6m8v | 6.5  | npm       | brace-expansion       | 1.1.12  | 1.1.13        | package-lock.json |
| https://osv.dev/GHSA-f886-m6hf-6m8v | 6.5  | npm       | brace-expansion       | 2.0.2   | 2.0.3         | package-lock.json |
| https://osv.dev/GHSA-f886-m6hf-6m8v | 6.5  | npm       | brace-expansion (dev) | 5.0.2   | 5.0.5         | package-lock.json |
| https://osv.dev/GHSA-jxxr-4gwj-5jf2 | 6.5  | npm       | brace-expansion (dev) | 5.0.2   | 5.0.6         | package-lock.json |
| https://osv.dev/GHSA-f886-m6hf-6m8v | 6.5  | npm       | brace-expansion (dev) | 5.0.4   | 5.0.5         | package-lock.json |
| https://osv.dev/GHSA-jxxr-4gwj-5jf2 | 6.5  | npm       | brace-expansion (dev) | 5.0.4   | 5.0.6         | package-lock.json |
| https://osv.dev/GHSA-g7r4-m6w7-qqqr | 2.5  | npm       | esbuild               | 0.27.3  | 0.28.1        | package-lock.json |
| https://osv.dev/GHSA-25h7-pfq9-p65f | 7.5  | npm       | flatted (dev)         | 3.3.3   | 3.4.0         | package-lock.json |
| https://osv.dev/GHSA-rf6f-7fwh-wjgh | 8.9  | npm       | flatted (dev)         | 3.3.3   | 3.4.2         | package-lock.json |
| https://osv.dev/GHSA-h67p-54hq-rp68 | 5.3  | npm       | js-yaml (dev)         | 3.14.2  | 4.2.0         | package-lock.json |
| https://osv.dev/GHSA-h67p-54hq-rp68 | 5.3  | npm       | js-yaml (dev)         | 4.1.1   | 4.2.0         | package-lock.json |
| https://osv.dev/GHSA-f23m-r3pf-42rh | 6.5  | npm       | lodash                | 4.17.23 | 4.18.0        | package-lock.json |
| https://osv.dev/GHSA-r5fr-rjxr-66jc | 8.1  | npm       | lodash                | 4.17.23 | 4.18.0        | package-lock.json |
| https://osv.dev/GHSA-3v7f-55p6-f55p | 5.3  | npm       | picomatch (dev)       | 2.3.1   | 2.3.2         | package-lock.json |
| https://osv.dev/GHSA-c2c7-rcm5-vvqj | 7.5  | npm       | picomatch (dev)       | 2.3.1   | 2.3.2         | package-lock.json |
| https://osv.dev/GHSA-3v7f-55p6-f55p | 5.3  | npm       | picomatch (dev)       | 4.0.3   | 4.0.4         | package-lock.json |
| https://osv.dev/GHSA-c2c7-rcm5-vvqj | 7.5  | npm       | picomatch (dev)       | 4.0.3   | 4.0.4         | package-lock.json |
| https://osv.dev/GHSA-35p6-xmwp-9g52 | 3.7  | npm       | undici                | 7.24.4  | 7.28.0        | package-lock.json |
| https://osv.dev/GHSA-g8m3-5g58-fq7m | 3.7  | npm       | undici                | 7.24.4  | 7.28.0        | package-lock.json |
| https://osv.dev/GHSA-hm92-r4w5-c3mj | 7.5  | npm       | undici                | 7.24.4  | 7.28.0        | package-lock.json |
| https://osv.dev/GHSA-p88m-4jfj-68fv | 5.9  | npm       | undici                | 7.24.4  | 7.28.0        | package-lock.json |
| https://osv.dev/GHSA-pr7r-676h-xcf6 | 5.9  | npm       | undici                | 7.24.4  | 7.28.0        | package-lock.json |
| https://osv.dev/GHSA-vmh5-mc38-953g | 7.4  | npm       | undici                | 7.24.4  | 7.28.0        | package-lock.json |
| https://osv.dev/GHSA-vxpw-j846-p89q | 7.5  | npm       | undici                | 7.24.4  | 7.28.0        | package-lock.json |
| https://osv.dev/GHSA-w5hq-g745-h8pq | 7.5  | npm       | uuid (dev)            | 8.3.2   | 11.1.1        | package-lock.json |
| https://osv.dev/GHSA-48c2-rrv3-qjmp | 4.3  | npm       | yaml                  | 2.8.2   | 2.8.3         | package-lock.json |
+-------------------------------------+------+-----------+-----------------------+---------+---------------+-------------------+

❌ REPOSITORY / trivy - 1 error

6-4800                    │
│                 ├─────────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-2950       │ MEDIUM   │        │                   │                             │ lodash: Lodash: Prototype pollution allows deletion of       │
│                 │                     │          │        │                   │                             │ built-in prototype properties via array...                   │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-2950                    │
├─────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ undici          │ CVE-2026-12151      │ HIGH     │        │ 7.24.4            │ 6.27.0, 7.28.0, 8.5.0       │ undici: undici: Denial of Service due to unbounded memory    │
│                 │                     │          │        │                   │                             │ growth via WebSocket...                                      │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-12151                   │
│                 ├─────────────────────┤          │        │                   ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-6734       │          │        │                   │ 7.28.0, 8.2.0               │ undici: undici: Information disclosure and data integrity    │
│                 │                     │          │        │                   │                             │ issues due to incorrect Socks5ProxyAgent...                  │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-6734                    │
│                 ├─────────────────────┤          │        │                   ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-9697       │          │        │                   │ 7.28.0, 8.5.0               │ undici: undici: Man-in-the-Middle attack via ignored TLS     │
│                 │                     │          │        │                   │                             │ options with SOCKS5 proxy                                    │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-9697                    │
│                 ├─────────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-9678       │ MEDIUM   │        │                   │                             │ undici: Undici: Information disclosure due to improper       │
│                 │                     │          │        │                   │                             │ cache-control header parsing                                 │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-9678                    │
│                 ├─────────────────────┤          │        │                   ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-9679       │          │        │                   │ 6.27.0, 7.28.0, 8.5.0       │ undici: undici vulnerable to HTTP header injection via       │
│                 │                     │          │        │                   │                             │ Set-Cookie percent-decoding                                  │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-9679                    │
│                 ├─────────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-11525      │ LOW      │        │                   │                             │ undici: undici: Weakening of cookie SameSite policy due to   │
│                 │                     │          │        │                   │                             │ incorrect parsing of...                                      │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-11525                   │
│                 ├─────────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-6733       │          │        │                   │                             │ undici: Undici: Response queue poisoning on reused           │
│                 │                     │          │        │                   │                             │ keep-alive sockets can lead to...                            │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-6733                    │
├─────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ yaml            │ CVE-2026-33532      │ MEDIUM   │        │ 2.8.2             │ 2.8.3, 1.10.3               │ yaml: yaml: Denial of Service via deeply nested YAML         │
│                 │                     │          │        │                   │                             │ document parsing                                             │
│                 │                     │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33532                   │
└─────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴──────────────────────────────────────────────────────────────┘

📣 Notices:
  - Version 0.71.2 of Trivy is now available, current version is 0.70.0

To suppress version checks, run Trivy scans with the --skip-version-check flag

(Truncated to last 6666 characters out of 15285)

❌ ACTION / zizmor - 1 error

INFO zizmor: 🌈 zizmor v1.25.0
fatal: no audit was performed
'ref-confusion' audit failed on file://.github/workflows/codeql-analysis.yml

Caused by:
    0: error in 'ref-confusion' audit
    1: couldn't list branches for actions/checkout
    2: request error while accessing GitHub API
    3: HTTP status client error (401 Unauthorized) for url (https://github.com/actions/checkout.git/git-upload-pack)


[ZizmorLinter] Zizmor failed to reach the GitHub API.
To allow zizmor to use GITHUB_TOKEN, add the following to your .mega-linter.yml:
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository

dependabot Bot added dependabot Dependabot issues and PRs npm Node.js issues and PRs labels Jun 20, 2026

dependabot Bot requested a review from ncalteen as a code owner June 20, 2026 08:39

dependabot Bot mentioned this pull request Jun 20, 2026

Build(deps): Bump fast-xml-parser from 5.5.7 to 5.9.0 #294

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build(deps): Bump fast-xml-parser from 5.5.7 to 5.9.3#296

Build(deps): Bump fast-xml-parser from 5.5.7 to 5.9.3#296
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/fast-xml-parser-5.9.3

dependabot Bot commented on behalf of github Jun 20, 2026

Uh oh!

github-actions Bot commented Jun 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 20, 2026

v5.9.3

What's Changed

New Contributors

v5.9.2

v5.9.1

update strnum, use is-unsafe

update strnum, FXB. Use xml-naming for DOCTYPE

fix minor old bugs and update builder

backward compatibility for numerical external entity, fix #705, #817

upgrade @​nodable/entities and FXB

Uh oh!

github-actions Bot commented Jun 20, 2026

❌MegaLinter analysis: Error

Detailed Issues

Notices

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

upgrade `@nodable/entities` and FXB