Skip to content

npm(deps): bump fast-xml-parser from 5.5.9 to 5.7.2#2754

Open
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/npm_and_yarn/develop/fast-xml-parser-5.5.10
Open

npm(deps): bump fast-xml-parser from 5.5.9 to 5.7.2#2754
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/npm_and_yarn/develop/fast-xml-parser-5.5.10

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 6, 2026
edited
Loading

Bumps fast-xml-parser from 5.5.9 to 5.7.2.

Release notes

Sourced from fast-xml-parser's releases.

backward compatibility for numerical external entity, fix #705, #817

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

  • Use @nodable/entities v2.1.0
    • breaking changes
      • single entity scan. You're not allowed to use entity value to form another entity name.
      • you cant add numeric external entity
      • entity error message when expantion limit is crossed might change
    • typings are updated for new options related to process entity
    • please follow documentation of @nodable/entities for more detail.
    • performance
      • if processEntities is false, then there should not be impact on performance.
      • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
      • if processEntities is true, and you pass entity decoder separately
        • if no entity then performance should be same as before
        • if there are entities then performance should be increased from past versions
    • ignoreAttributes is not required to be set to set xml version for NCR entity value
  • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

  • No API change
  • No change in performance for basic usage
  • No typing change
  • No config change
  • new dependency
  • breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

  • increase default entity explansion limit as many projects demand for that
maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,
  • performance improvement
    • reduce calls to toString
    • early return when entities are not present
    • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.7.2 / 2026-04-25

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

  • fix typo in CJS typing file

5.7.0 / 2026-04-17

  • Use @nodable/entities v2.1.0
    • breaking changes
      • single entity scan. You're not allowed to user entity value to form another entity name.
      • you cant add numeric external entity
      • entity error message when expantion limit is crossed might change
    • typings are updated for new options related to process entity
    • please follow documentation of @nodable/entities for more detail.
    • performance
      • if processEntities is false, then there should not be impact on performance.
      • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
      • if processEntities is true, and you pass entity decoder separately
        • if no entity then performance should be same as before
        • if there are entities then performance should be increased from past versions
    • ignoreAttributes is not required to be set to set xml version for NCR entity value
  • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

  • fix: entity replacement for numeric entities
  • use @​nodable/entities to replace entities
    • this may change some error messages related to entities expansion limit or inavlid use
    • post check would be exposed in future version

5.5.12 / 2026-04-13

  • Performance Improvement: update path-expression-matcher
    • use proxy pattern than Proxy class

5.5.11 / 2026-04-08

  • Performance Improvement
    • integrate ExpressionSet for stopNodes

5.5.10 / 2026-04-03

  • increase default entity explansion limit as many projects demand for that
  • performance improvement
    • reduce calls to toString
    • early return when entities are not present
    • prepare rawAttrsForMatcher only if user sets jPath: false

... (truncated)

Commits
  • b1d5b90 update releas info
  • 78571ae tests for long tag expression
  • ebaedc0 allow numerical external entities for backward compatibility
  • 91245eb update changelog
  • 79dd40d fix #705: don not group and nest attributes when both preserveOrder and attri...
  • d6bce3b allow long attribute expressions
  • 9a2561b remove unnecessary
  • 0f08303 fix typo
  • f529642 update to release v5.7.0
  • 52a8583 Revert "improve performance of attributes reading"
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 6, 2026
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 6, 2026
@dependabot dependabot Bot added the javascript Pull requests that update Javascript code label Apr 6, 2026
@dependabot dependabot Bot requested a review from petkopetkov2 as a code owner April 6, 2026 00:05
This was referenced Apr 22, 2026
Open
Open
@dependabot
npm(deps): bump fast-xml-parser from 5.5.9 to 5.7.2
0a75d7a 
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.5.9 to 5.7.2.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.5.9...v5.7.2)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.5.10
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title npm(deps): bump fast-xml-parser from 5.5.9 to 5.5.10 npm(deps): bump fast-xml-parser from 5.5.9 to 5.7.2 Apr 27, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/develop/fast-xml-parser-5.5.10 branch from e69ede0 to 0a75d7a Compare April 27, 2026 00:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daniel-mcadam-nhs daniel-mcadam-nhs Awaiting requested review from daniel-mcadam-nhs daniel-mcadam-nhs is a code owner

@kevinmason-nhs kevinmason-nhs Awaiting requested review from kevinmason-nhs kevinmason-nhs is a code owner

@EdwardWills-nhs EdwardWills-nhs Awaiting requested review from EdwardWills-nhs EdwardWills-nhs is a code owner

@georgeCraftReferrals georgeCraftReferrals Awaiting requested review from georgeCraftReferrals georgeCraftReferrals is a code owner

@csaw-nhs csaw-nhs Awaiting requested review from csaw-nhs csaw-nhs is a code owner

@petkopetkov2 petkopetkov2 Awaiting requested review from petkopetkov2 petkopetkov2 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants