Build(deps): Bump fast-xml-parser from 5.5.7 to 5.7.3

[dependabot]

Bumps fast-xml-parser from 5.5.7 to 5.7.3.

Release notes

Sourced from fast-xml-parser's releases.

fix minor old bugs and update builder

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to use entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

• No API change
• No change in performance for basic usage
• No typing change
• No config change
• new dependency
• breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

5.5.12 / 2026-04-13

• Performance Improvement: update path-expression-matcher
  • use proxy pattern than Proxy class

5.5.11 / 2026-04-08

• Performance Improvement
  • integrate ExpressionSet for stopNodes

... (truncated)

Commits

• d6d8042 update to release
• d263370 remove dev dependency 'he'
• f9c9a2c update builder to 1.1.7
• b65da87 update changelog and mark addEntity deprecated
• c2ca631 update fxb
• da75191 fix stop node expression when ns prefix is removed
• 31bbc99 fix: alwaysCreateTextNode should create text node when attributes are present...
• dab327a remove unnecessary
• ab04eeb update docs
• 383cb3f Revise security information for v6 release
• Additional commits viewable in compare view

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	5		0	0	0.18s
✅ JAVASCRIPT	prettier	19		0	0	0.79s
✅ JSON	npm-package-json-lint	yes		no	no	0.66s
✅ JSON	prettier	29		0	0	4.36s
✅ MARKDOWN	markdownlint	10		0	0	1.19s
✅ REPOSITORY	checkov	yes		no	no	26.4s
✅ REPOSITORY	gitleaks	yes		no	no	2.18s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
❌ REPOSITORY	grype	yes		5	no	66.57s
✅ REPOSITORY	secretlint	yes		no	no	0.95s
✅ REPOSITORY	syft	yes		no	no	4.34s
❌ REPOSITORY	trivy	yes		1	no	15.17s
✅ REPOSITORY	trivy-sbom	yes		no	no	4.63s
✅ REPOSITORY	trufflehog	yes		no	no	42.95s
✅ TYPESCRIPT	prettier	108		0	0	3.15s
✅ YAML	prettier	25		0	0	0.64s
✅ YAML	yamllint	25		0	0	0.58s

Detailed Issues

❌ REPOSITORY / grype - 5 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME             INSTALLED  FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS           RISK   
lodash           4.17.23    4.18.0    npm   GHSA-r5fr-rjxr-66jc  High      < 0.1% (11th)  < 0.1  
yaml             2.8.2      2.8.3     npm   GHSA-48c2-rrv3-qjmp  Medium    < 0.1% (18th)  < 0.1  
lodash           4.17.23    4.18.0    npm   GHSA-f23m-r3pf-42rh  Medium    < 0.1% (7th)   < 0.1  
brace-expansion  1.1.12     1.1.13    npm   GHSA-f886-m6hf-6m8v  Medium    < 0.1% (6th)   < 0.1  
brace-expansion  2.0.2      2.0.3     npm   GHSA-f886-m6hf-6m8v  Medium    < 0.1% (6th)   < 0.1
[0066] ERROR discovered vulnerabilities at or above the severity threshold

❌ REPOSITORY / trivy - 1 error

2026-05-09T02:34:46Z	INFO	[vulndb] Need to update DB
2026-05-09T02:34:46Z	INFO	[vulndb] Downloading vulnerability DB...
2026-05-09T02:34:46Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
22.70 MiB / 92.41 MiB [-------------->______________________________________________] 24.57% ? p/s ?53.05 MiB / 92.41 MiB [----------------------------------->_________________________] 57.40% ? p/s ?90.92 MiB / 92.41 MiB [------------------------------------------------------------>] 98.39% ? p/s ?92.41 MiB / 92.41 MiB [--------------------------------------------->] 100.00% 115.98 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [--------------------------------------------->] 100.00% 115.98 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [--------------------------------------------->] 100.00% 115.98 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [--------------------------------------------->] 100.00% 108.50 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [--------------------------------------------->] 100.00% 108.50 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [--------------------------------------------->] 100.00% 108.50 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [--------------------------------------------->] 100.00% 101.50 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [--------------------------------------------->] 100.00% 101.50 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [--------------------------------------------->] 100.00% 101.50 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 94.95 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 94.95 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 94.95 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 88.82 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 88.82 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 88.82 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 83.09 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 83.09 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 83.09 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 77.73 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 77.73 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 77.73 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 72.72 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [---------------------------------------------->] 100.00% 72.72 MiB p/s ETA 0s92.41 MiB / 92.41 MiB [-------------------------------------------------] 100.00% 17.87 MiB p/s 5.4s2026-05-09T02:34:53Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-05-09T02:34:53Z	INFO	[vuln] Vulnerability scanning is enabled
2026-05-09T02:34:53Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-05-09T02:34:53Z	INFO	[checks-client] Need to update the checks bundle
2026-05-09T02:34:53Z	INFO	[checks-client] Downloading the checks bundle...
234.65 KiB / 234.65 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2026-05-09T02:35:00Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2026-05-09T02:35:00Z	INFO	Number of language-specific files	num=1
2026-05-09T02:35:00Z	INFO	[npm] Detecting vulnerabilities...
2026-05-09T02:35:00Z	INFO	Detected config files	num=0

Report Summary

┌───────────────────┬──────┬─────────────────┬───────────────────┐
│      Target       │ Type │ Vulnerabilities │ Misconfigurations │
├───────────────────┼──────┼─────────────────┼───────────────────┤
│ package-lock.json │ npm  │        5        │         -         │
└───────────────────┴──────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


package-lock.json (npm)
=======================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

┌─────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬──────────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version        │                            Title                             │
├─────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ brace-expansion │ CVE-2026-33750 │ MEDIUM   │ fixed  │ 1.1.12            │ 5.0.5, 3.0.2, 2.0.3, 1.1.13 │ brace-expansion: brace-expansion: Denial of Service via zero │
│                 │                │          │        │                   │                             │ step value in brace pattern...                               │
│                 │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33750                   │
│                 │                │          │        ├───────────────────┤                             │                                                              │
│                 │                │          │        │ 2.0.2             │                             │                                                              │
│                 │                │          │        │                   │                             │                                                              │
│                 │                │          │        │                   │                             │                                                              │
├─────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ lodash          │ CVE-2026-4800  │ HIGH     │        │ 4.17.23           │ 4.18.0                      │ lodash: lodash: Arbitrary code execution via untrusted input │
│                 │                │          │        │                   │                             │ in template imports                                          │
│                 │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-4800                    │
│                 ├────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-2950  │ MEDIUM   │        │                   │                             │ lodash: Lodash: Prototype pollution allows deletion of       │
│                 │                │          │        │                   │                             │ built-in prototype properties via array...                   │
│                 │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-2950                    │
├─────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ yaml            │ CVE-2026-33532 │          │        │ 2.8.2             │ 2.8.3, 1.10.3               │ yaml: yaml: Denial of Service via deeply nested YAML         │
│                 │                │          │        │                   │                             │ document parsing                                             │
│                 │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33532                   │
└─────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴──────────────────────────────────────────────────────────────┘

📣 Notices:
  - Version 0.70.0 of Trivy is now available, current version is 0.69.1

To suppress version checks, run Trivy scans with the --skip-version-check flag

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository