Skip to content

fix: bump fast-xml-parser from 5.7.0 to ~5.7.2 (entity regression)#135

Merged
Elesiann merged 1 commit into
mainfrom
fix/fast-xml-parser-bump
May 18, 2026
Merged

fix: bump fast-xml-parser from 5.7.0 to ~5.7.2 (entity regression)#135
Elesiann merged 1 commit into
mainfrom
fix/fast-xml-parser-bump

Conversation

@Elesiann
Copy link
Copy Markdown
Contributor

@Elesiann Elesiann commented May 18, 2026

Why

The pin "fast-xml-parser": "5.7.0" in resolutions has a runtime regression that breaks AWS SDK XML response parsing.

Version 5.7.0 introduced a stricter EntityReplacer that rejects valid numeric character references like 
 with:

[EntityReplacer] Invalid character '#' in entity name: "#xD"

This breaks @aws-sdk/core's parseXmlBody, which crashes when handling responses from STS:GetCallerIdentity. That call is made by @backstage/integration-aws-node whenever AWS plugins resolve credentials — so every AWS-using plugin (e.g. aws-ecs) goes down.

Confirmed at runtime on the Sankhya demo instance: the aws-ecs plugin returned 500 on the entity-services endpoint until this was patched via workaround. This PR fixes the root cause for all AWS-using plugins.

Upstream fixed it in 5.7.2 (released 2026-04-24): "Allowed numerical external entities for backward compatibility".

The 5.7.0 pin was introduced in #104 (security-fix automation) on 2026-04-28, which narrowed an existing ^5.3.8 caret range to an exact 5.7.0 — 4 days after the upstream fix was published, but the bot didn't pick it up.

What changes

  • package.json: "fast-xml-parser": "5.7.0" -> "fast-xml-parser": "~5.7.2" inside resolutions.
  • yarn.lock: regenerated by yarn install. Resolves to 5.7.3 (latest in 5.7.x). Transitive fast-xml-builder bumps from ^1.1.5 to ^1.1.7. No other entries change.

Why tilde, not caret

~5.7.2 keeps us within 5.7.x patches only. 5.8.0 added DOCTYPE entity validation via xml-naming that is potentially breaking for consumers that send non-standard XML — we don't want auto-upgrade into it.

Testing notes

  • yarn install completed cleanly (with only the existing peer-dependency warnings that already exist on main).
  • yarn.lock diff is minimal: just the fast-xml-parser entry + its fast-xml-builder transitive bump. No unrelated churn.
  • Runtime fix verified on Sankhya demo instance (via local workaround patching the same version) before the upstream pin change.

References

@Elesiann @claude
fix: bump fast-xml-parser pin from 5.7.0 to ~5.7.2
315a5c0 
Version 5.7.0 has a regression in EntityReplacer that rejects valid
numeric character references like 
, breaking AWS SDK XML response
parsing. Specifically, @aws-sdk/core's parseXmlBody crashes when parsing
responses from STS:GetCallerIdentity, which is called by
@backstage/integration-aws-node when AWS plugins resolve credentials.

5.7.2 (released 2026-04-24) explicitly fixed this with "Allowed
numerical external entities for backward compatibility".

Using ~5.7.2 (tilde) instead of ^5.7.2 (caret) to stay within 5.7.x
patches — 5.8.0 added xml-naming DOCTYPE validation that could break
consumers that send non-standard XML.

Confirmed at runtime via Sankhya demo instance: aws-ecs plugin failed
with 500 on the entity-services endpoint until this was fixed via
workaround. This pin fixes the root cause for all AWS-using plugins.

The 5.7.0 pin was introduced in #104 (security fix bot) on 2026-04-28,
which narrowed an earlier ^5.3.8 range to an exact version 4 days
after the upstream fix was published.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Elesiann Elesiann merged commit a0627c9 into main May 18, 2026
5 checks passed
@Elesiann Elesiann deleted the fix/fast-xml-parser-bump branch May 18, 2026 22:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Elesiann