stacklok / toolhive-studio / 24846314348 / 1

70%

main: 70%

push

github

fix(security): pin fast-xml-parser to 5.5.8 to unblock S3 release publish (#2096)

* fix(security): pin fast-xml-parser to 5.5.8 to unblock release

5.7.0/5.7.1 introduced a breaking EntityReplacer that rejects '#' in entity names, which breaks @aws-sdk/xml-builder's parser.addEntity('#xD', '\r') call path and fails every S3 response parse done by @electron-forge/publisher-s3.

Upstream tracking: https://github.com/NaturalIntelligence/fast-xml-parser/issues/823 and https://github.com/aws/aws-sdk-js-v3/issues/7949. No patched 5.7.x is available yet, so roll the override back to the last known-good 5.5.8 (the version @aws-sdk/xml-builder itself pins).

Revisit once upstream ships >=5.7.2 with addEntity('#xD', ...) support restored.

* chore(security): ignore GHSA-gh4j-gqv2-49f6 on pinned fast-xml-parser

Pair with the 5.5.8 pin. The advisory only affects XMLBuilder.buildComment / buildCdata when callers pass unescaped user input; this repo does not use those APIs — the AWS SDK only parses responses. Ignore both the GHSA and its CVE alias (CVE-2026-41650) with a reason string so future reviewers see the rollback rationale inline.

3803 of 6273 branches covered (60.62%)

5871 of 8901 relevant lines covered (65.96%)

117.81 hits per line