fix(deps): update dependency fast-xml-parser to v4 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fast-xml-parser	3.21.1 -> 4.1.2

GitHub Vulnerability Alerts

CVE-2023-26920

Impact

As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.

const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");

let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"

const parser = new XMLParser();
let jObj = parser.parse(XMLdata);

console.log(jObj.polluted) // should return hacked

Patches

The problem has been patched in v4.1.2

Workarounds

User can check for "proto" in the XML string before parsing it to the parser.

References

https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7

---

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

### [`v4.1.2`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.1...v4.1.2) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.1...v4.1.2) ### [`v4.1.1`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.0...v4.1.1) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.0...v4.1.1) ### [`v4.1.0`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.15...v4.1.0) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.15...v4.1.0) ### [`v4.0.15`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.14...v4.0.15) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.14...v4.0.15) ### [`v4.0.14`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.13...v4.0.14) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.13...v4.0.14) ### [`v4.0.13`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.12...v4.0.13) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.12...v4.0.13) ### [`v4.0.12`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.11...v4.0.12) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.11...v4.0.12) ### [`v4.0.11`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.10...v4.0.11) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.10...v4.0.11) ### [`v4.0.10`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.9...v4.0.10) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.9...v4.0.10) ### [`v4.0.9`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.8...v4.0.9) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.8...v4.0.9) ### [`v4.0.8`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.7...v4.0.8) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.7...v4.0.8) ### [`v4.0.7`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.6...v4.0.7) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.6...v4.0.7) ### [`v4.0.6`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.5...v4.0.6) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.5...v4.0.6) ### [`v4.0.5`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.4...v4.0.5) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.4...v4.0.5) ### [`v4.0.4`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.3...v4.0.4) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.3...v4.0.4) ### [`v4.0.3`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.2...v4.0.3) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.2...v4.0.3) ### [`v4.0.2`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.1...v4.0.2) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.1...v4.0.2) ### [`v4.0.1`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.0...v4.0.1) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.0...v4.0.1) ### [`v4.0.0`](https://togithub.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.0.0): v4 [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v3.21.1...v4.0.0) - Generating different combined, parser only, builder only, validator only browser bundles - Keeping cjs modules as they can be imported in cjs and esm modules both. Otherwise refer `esm` branch. **4.0.0-beta.8 / 2021-12-13** - call tagValueProcessor for stop nodes **4.0.0-beta.7 / 2021-12-09** - fix Validator bug when an attribute has no value but '=' only - XML Builder should suppress unpaired tags by default. - documents update for missing features - refactoring to use Object.assign - refactoring to remove repeated code **4.0.0-beta.6 / 2021-12-05** - Support PI Tags processing - Support `suppressBooleanAttributes` by XML Builder for attributes with value `true`. **4.0.0-beta.5 / 2021-12-04** - fix: when a tag with name "attributes" **4.0.0-beta.4 / 2021-12-02** - Support HTML document parsing - skip stop nodes parsing when building the XML from JS object - Support external entites without DOCTYPE - update dev dependency: strnum v1.0.5 to fix long number issue **4.0.0-beta.3 / 2021-11-30** - support global stopNodes expression like "\*.stop" - support self-closing and paired unpaired tags - fix: CDATA should not be parsed. - Fix typings for XMLBuilder ([#​396](https://togithub.com/NaturalIntelligence/fast-xml-parser/issues/396))(By [Anders Emil Salvesen](https://togithub.com/andersem)) - supports XML entities, HTML entities, DOCTYPE entities **⚠️ 4.0.0-beta.2 / 2021-11-19** - rename `attrMap` to `attibutes` in parser output when `preserveOrder:true` - supports unpairedTags **⚠️ 4.0.0-beta.1 / 2021-11-18** - Parser returns an array now - to make the structure common - and to return root level detail - renamed `cdataTagName` to `cdataPropName` - Added `commentPropName` - fix typings **⚠️ 4.0.0-beta.0 / 2021-11-16** - Name change of many configuration properties. - `attrNodeName` to `attributesGroupName` - `attrValueProcessor` to `attributeValueProcessor` - `parseNodeValue` to `parseTagValue` - `ignoreNameSpace` to `removeNSPrefix` - `numParseOptions` to `numberParseOptions` - spelling correction for `suppressEmptyNode` - Name change of cli and browser bundle to **fxparser** - `isArray` option is added to parse a tag into array - `preserveOrder` option is added to render XML in such a way that the result js Object maintains the order of properties same as in XML. - Processing behaviour of `tagValueProcessor` and `attributeValueProcessor` are changes with extra input parameters - j2xparser is renamed to XMLBuilder. - You need to build XML parser instance for given options first before parsing XML. - fix [#​327](https://togithub.com/NaturalIntelligence/fast-xml-parser/issues/327), [#​336](https://togithub.com/NaturalIntelligence/fast-xml-parser/issues/336): throw error when extra text after XML content - fix [#​330](https://togithub.com/NaturalIntelligence/fast-xml-parser/issues/330): attribute value can have '\n', - fix [#​350](https://togithub.com/NaturalIntelligence/fast-xml-parser/issues/350): attributes can be separated by '\n' from tagname

---

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.