fix: upgrade fast-xml-parser to 5.3.4 to resolve DoS vulnerability

andris9 · andris9 · commit 60aef5dfc988 · 2026-02-01T21:06:39.000+01:00
Upgrades fast-xml-parser from 4.5.2 to 5.3.4 to fix GHSA-37qj-frw5-hhjh (RangeError DoS via numeric entities). The new version provides a CommonJS build that works with pkg bundling despite the package switching to ESM by default. Also removes fast-xml-parser from .ncurc.js reject list since the upgrade path is now compatible with the build toolchain.
diff --git a/.ncurc.js b/.ncurc.js
@@ -3,7 +3,6 @@ module.exports = {
     reject: [
         // only works as ESM
         'chai',
-        'fast-xml-parser',
         'yargs'
     ]
 };
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -42,19 +42,19 @@
         "license-report": "6.8.1",
         "mbox-reader": "1.2.0",
         "mocha": "11.7.5",
-        "prettier": "3.7.4",
+        "prettier": "3.8.1",
         "resedit": "3.0.1"
     },
     "dependencies": {
         "@postalsys/vmc": "1.1.2",
-        "fast-xml-parser": "4.5.2",
+        "fast-xml-parser": "5.3.4",
         "ipaddr.js": "2.3.0",
         "joi": "18.0.2",
         "libmime": "5.3.7",
-        "nodemailer": "7.0.11",
+        "nodemailer": "7.0.13",
         "punycode.js": "2.3.1",
-        "tldts": "7.0.19",
-        "undici": "7.16.0",
+        "tldts": "7.0.21",
+        "undici": "7.19.2",
         "yargs": "17.7.2"
     },
     "engines": {

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,6 @@ module.exports = {`
`3`	`3`	`reject: [`
`4`	`4`	`// only works as ESM`
`5`	`5`	`'chai',`
`6`		`- 'fast-xml-parser',`
`7`	`6`	`'yargs'`
`8`	`7`	`]`
`9`	`8`	`};`