Susceptible to CVE-2026-25896 (XSS in fast-xml-parser)?

[bobsondugnutt2000]

Description

CVE-2026-25896 in the fast-xml-parser library, which is a dependency, allows XSS via regex injection. Does Graph Explorer or any of its dependencies ever parse user-provided XML via this library, or could its API be made to do so? And is it possible to bump this dependency to the patched version?

---

Important

If you are interested in working on this issue or have submitted
a pull request, please leave a comment.

Tip

Please use a 👍 reaction to provide a +1/vote.

This helps the community and maintainers prioritize this request.

[kmcginnes]

fast-xml-parser is a dependency of @aws-sdk/credential-providers. I've updated that dependency to one that uses v5.3.6 of fast-xml-parser. This should resolve the issues.

• Update some key packages #1531