From 315a5c06179d20d133a735f4773a32414ffaab79 Mon Sep 17 00:00:00 2001 From: Elesiann Date: Mon, 18 May 2026 18:46:42 -0300 Subject: [PATCH] fix: bump fast-xml-parser pin from 5.7.0 to ~5.7.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Version 5.7.0 has a regression in EntityReplacer that rejects valid numeric character references like , breaking AWS SDK XML response parsing. Specifically, @aws-sdk/core's parseXmlBody crashes when parsing responses from STS:GetCallerIdentity, which is called by @backstage/integration-aws-node when AWS plugins resolve credentials. 5.7.2 (released 2026-04-24) explicitly fixed this with "Allowed numerical external entities for backward compatibility". Using ~5.7.2 (tilde) instead of ^5.7.2 (caret) to stay within 5.7.x patches — 5.8.0 added xml-naming DOCTYPE validation that could break consumers that send non-standard XML. Confirmed at runtime via Sankhya demo instance: aws-ecs plugin failed with 500 on the entity-services endpoint until this was fixed via workaround. This pin fixes the root cause for all AWS-using plugins. The 5.7.0 pin was introduced in #104 (security fix bot) on 2026-04-28, which narrowed an earlier ^5.3.8 range to an exact version 4 days after the upstream fix was published. Co-Authored-By: Claude Opus 4.7 (1M context) --- package.json | 2 +- yarn.lock | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package.json b/package.json index 85834e6..c5c5112 100644 --- a/package.json +++ b/package.json @@ -92,7 +92,7 @@ "@isaacs/brace-expansion": "^5.0.1", "bn.js": "^4.12.3", "lodash": "4.18.1", - "fast-xml-parser": "5.7.0", + "fast-xml-parser": "~5.7.2", "protobufjs": "7.5.5", "@protobufjs/inquire": "1.1.0", "flatted": "3.4.2", diff --git a/yarn.lock b/yarn.lock index 3fcdf8e..a17ee55 100644 --- a/yarn.lock +++ b/yarn.lock @@ -25673,17 +25673,17 @@ __metadata: languageName: node linkType: hard -"fast-xml-parser@npm:5.7.0": - version: 5.7.0 - resolution: "fast-xml-parser@npm:5.7.0" +"fast-xml-parser@npm:~5.7.2": + version: 5.7.3 + resolution: "fast-xml-parser@npm:5.7.3" dependencies: "@nodable/entities": "npm:^2.1.0" - fast-xml-builder: "npm:^1.1.5" + fast-xml-builder: "npm:^1.1.7" path-expression-matcher: "npm:^1.5.0" strnum: "npm:^2.2.3" bin: fxparser: src/cli/cli.js - checksum: 10c0/773d83bc6ad2c97e86326324784b2e3fbbcb989bc7e02c08c4284d302251ace6cd2e4f58896cdaed705887b0523c0455af5c811dece720ebe4245c3af427471b + checksum: 10c0/eeb802855e852ce16121396297f04131c6dbc74f863be94f19e26e386656bdb31677af469ddc6627983a48b99d8842888460ac5413063cb648fde547bb579978 languageName: node linkType: hard