Merge pull request #291 from iteratehq/mike/CVE-2026-26278

msingleton · web-flow · commit 2c8ca23baba6 · 2026-03-03T15:45:36.000-05:00
fix: resolve CVE-2026-26278 fast-xml-parser DoS vulnerability
diff --git a/package.json b/package.json
@@ -85,7 +85,8 @@
     "@types/react": "^18.0.0 || ^19.0.0",
     "glob": "^10.5.0",
     "qs": "^6.14.0",
-    "tar": "^7.5.3"
+    "tar": "^7.5.3",
+    "fast-xml-parser": "^5.3.6"
   },
   "peerDependencies": {
     "react": ">=18.0.0",
diff --git a/yarn.lock b/yarn.lock
@@ -6130,14 +6130,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fast-xml-parser@npm:^4.4.1":
-  version: 4.5.3
-  resolution: "fast-xml-parser@npm:4.5.3"
+"fast-xml-parser@npm:^5.3.6":
+  version: 5.3.7
+  resolution: "fast-xml-parser@npm:5.3.7"
   dependencies:
-    strnum: ^1.1.1
+    strnum: ^2.1.2
   bin:
     fxparser: src/cli/cli.js
-  checksum: cd6a184941ec6c23f9e6b514421a3f396cfdff5f4a8c7c27bd0eff896edb4a2b55c27da16f09b789663613dfc4933602b9b71ac3e9d1d2ddcc0492fc46c8fa52
+  checksum: 0bb307bc63a01c079ae28b6b62eeea0007d787e6ab47dfca493f40305f78aeedea2906b2632bf0eb9d4d868e748c77c70393a808441fb5949c9d2e6f8f2825f0
   languageName: node
   linkType: hard
 
@@ -11488,10 +11488,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"strnum@npm:^1.1.1":
-  version: 1.1.2
-  resolution: "strnum@npm:1.1.2"
-  checksum: a85219eda13e97151c95e343a9e5960eacfb0a0ff98104b4c9cb7a212e3008bddf0c9714c9c37c2e508be78e741a04afc80027c2dc18509d1b5ffd4c37191fc2
+"strnum@npm:^2.1.2":
+  version: 2.1.2
+  resolution: "strnum@npm:2.1.2"
+  checksum: 755e8327ee68201d700169ceee097ea52da7b675f4521442a8dbd1517021f89a91399213c446d1bf3d1123ca1896a76f0ff076d04c88ffe6056e78828ce6f60a
   languageName: node
   linkType: hard
 
