fix: resolve fast-xml-parser, lodash security vulnerabilities#2214
fix: resolve fast-xml-parser, lodash security vulnerabilities#2214
Conversation
github-actions
bot
added
the
t-tooling
|
Preview for this PR was built for commit |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
Comment @cursor review or bugbot run to trigger another review on this PR
package.json
Outdated
| "js-yaml": "4.1.1" | ||
| } | ||
| }, | ||
| "fast-xml-parser": "5.3.4", |
There was a problem hiding this comment.
Major version override may break dependent packages
Medium Severity
The npm override forces fast-xml-parser from version 4.5.3 to 5.3.4, which is a major version upgrade. The openapi-sampler package explicitly declares a dependency on "fast-xml-parser": "^4.5.0" (accepting versions >=4.5.0 <5.0.0), meaning it was designed against the v4 API. Major version upgrades typically contain breaking changes, and forcing v5 via override could cause runtime compatibility issues for packages expecting v4. The PR checklist shows CI has not yet passed.
Add npm override for fast-xml-parser to version 5.3.4 to fix high-severity vulnerability (GHSA-37qj-frw5-hhjh). Override is required because openapi-sampler specifies ^4.5.0 which doesn't include the 5.x fix. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
B4nan
force-pushed
the
fix/security-fast-xml-parser
branch
from
de32548 to
f6fba91
Compare
2 participants
Summary
Test plan
npm auditshows 0 vulnerabilities🤖 Generated with Claude Code
Note
Medium Risk
Forces upgraded transitive dependencies (including
fast-xml-parser4→5) via npm overrides, which could introduce subtle runtime/build incompatibilities despite being security-driven.Overview
Pins security-patched dependency versions via
package.jsonoverrides, forcingfast-xml-parser@5.3.4,lodash@4.17.23, andlodash-es@4.17.23.Updates
package-lock.jsonto reflect the forced resolutions (includingstrnumbump and removal of redundant nestedlodash-esentries) and bumps the workspace@apify/docs-themefrom1.0.230to1.0.231.Written by Cursor Bugbot for commit de32548. Configure here.