You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->
## **Description**
**Reason:** fast-xml-parser 4.x (pulled in by @metamask/snaps-utils) is
vulnerable to a RangeError DoS (GHSA-37qj-frw5-hhjh).
[`fast-xml-parser`
Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
The only breaking change in v5 is the ESM support
**Solution:** Add a resolution to fast-xml-parser ^5.3.4 and add it to
`npmPreapprovedPackages` so the safe version can be installed despite
the minimal age gate.
[](https://codespaces.new/MetaMask/metamask-extension/pull/39683?quickstart=1)
## **Changelog**
CHANGELOG entry: null
## **Related issues**
Fixes:
## **Manual testing steps**
## **Screenshots/Recordings**
N/A (dependency upgrade).
### **Before**
### **After**
## **Pre-merge author checklist**
- [ ] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [ ] I've completed the PR template to the best of my ability
- [ ] I've included tests if applicable
- [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [ ] I've applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.
## **Pre-merge reviewer checklist**
- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Dependency upgrade plus LavaMoat policy updates could cause
runtime/build regressions if `@metamask/snaps-utils` expects v4 behavior
or if the new globals aren’t correctly captured.
>
> **Overview**
> **Upgrades `fast-xml-parser` to `^5.3.4` via `package.json`
resolutions** (and updates `yarn.lock`, including `strnum` to `^2.1.0`)
to address GHSA-37qj-frw5-hhjh.
>
> **Refreshes LavaMoat policies**: removes the
`@metamask/snaps-utils>fast-xml-parser` allowlist entry from Browserify
policies, and updates Webpack MV2 policies to allow the new
`fast-xml-parser` access pattern (`exports.isExist`) instead of the old
`entityName`/`val` globals.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
57261b8. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Mark Stacey <[email protected]>
Co-authored-by: MetaMask Bot <[email protected]>
](https://codespaces.new/MetaMask/metamask-extension/pull/39683?quickstart=1){kind=link}
0 commit comments