Update dependency fast-xml-parser to v5.3.8 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
fast-xml-parser	5.3.6 → 5.3.8

GitHub Vulnerability Alerts

CVE-2026-27942

Impact

Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input:

[{
    'foo': [
        { 'bar': [{ '@​_V': 'baz' }] }
    ]
}]

Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content.
What kind of vulnerability is it? Who is impacted?

Patches

Yes, in 5.3.8 and 4.5.4.

Workarounds

Use XML builder with preserveOrder:false or check the input data before passing to builder.

---

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v5.3.8: handle non-array input for XML builder && support maxNestedTags

Compare Source

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies
  Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.7...v5.3.8

v5.3.7: CJS typing fix

Compare Source

What's Changed

• Unexport X2jOptions at declaration site by @​Drarig29 in #​787

New Contributors

• @​Drarig29 made their first contribution in #​787

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.7

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.