Skip to content

chore(deps): bump fast-xml-parser from 5.3.8 to 5.5.7#38

Open
dependabot[bot] wants to merge 14 commits into
mainfrom
dependabot/npm_and_yarn/fast-xml-parser-5.5.7
Open

chore(deps): bump fast-xml-parser from 5.3.8 to 5.5.7#38
dependabot[bot] wants to merge 14 commits into
mainfrom
dependabot/npm_and_yarn/fast-xml-parser-5.5.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 25, 2026

Copy link
Copy Markdown

Bumps fast-xml-parser from 5.3.8 to 5.5.7.

Release notes

Sourced from fast-xml-parser's releases.

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

  • support path-expression-matcher
  • fix: stopNode should not be parsed
  • performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

support strictReservedNames

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

4.5.5 / 2026-03-22

apply fixes from v5 (legacy maintenance branch v4-maintenance)

  • support maxEntityCount
  • support onDangerousProperty
  • support maxNestedTags
  • handle prototype pollution
  • fix incorrect entity name replacement
  • fix incorrect condition for entity expansion

5.5.8 / 2026-03-20

  • pass read only matcher in callback

5.5.7 / 2026-03-19

  • fix: entity expansion limits
  • update strnum package to 2.2.0

5.5.6 / 2026-03-16

  • update builder dependency
  • fix incorrect regex to replace . in entity name
  • fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

  • sanitize dangerous tag or attribute name
  • error on critical property name
  • support onDangerousProperty option

5.5.4 / 2026-03-13

  • declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

  • upgrade builder

5.5.2 / 2026-03-11

  • update dependency to fix typings

5.5.1 / 2026-03-10

  • fix dependency

5.5.0 / 2026-03-10

  • support path-expression-matcher
  • fix: stopNode should not be parsed
  • performance improvement for stopNode checking

... (truncated)

Commits
  • a21c441 update package detail
  • 239b64a check for min value for entity exapantion options
  • 61cb666 restrict more properties to be unsafe
  • 41abd66 performance improvement of reading DOCTYPE
  • 3dfcd20 refactor: performance improvement
  • 870043e update release info
  • 6df401e update builder dependency
  • bd26122 check for entitiy expansion for lastEntities and html entities too
  • 7e70dd8 fix incorrect regex to replace . in entity name
  • e54155f update package info
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

rawand-shakir-draad and others added 14 commits March 5, 2026 16:11
Add plugin-loader package that reads plugins.json, validates
manifests, and exposes hooks for api-server (models, routes,
middleware, migrations) and admin-server (pages, menu items,
widget definitions).

Integration points:
- api-server: db models, middleware (5 positions), routes,
  init/migrate database scripts
- admin-server: dynamic sidenav items, catch-all plugin pages,
  widget definition merging, next.config transpilation
- widget-settings: merges plugin widget definitions into core

Safety: broken/missing plugins are logged and skipped,
never crash the server.
Remove hardcoded test-resources admin pages and let the catch-all
plugin route handle them. Add widget preview and server external
packages support to the catch-all route so plugin widgets get the
same features as core widgets.
The plugin widget route uses [...widgetPath] catch-all, so the widget ID
isn't available in router.query.id. Extract the ID from path segments and
pass it as idOverride to useWidgetConfig, useWidgetPreview, and
WidgetPublish so plugin widgets load and publish correctly.
Replace memoryStorage with databaseStorage backed by Sequelize models
for authorization codes, refresh tokens, and tasks. Access tokens
already used the database. Adds migration for the three new tables.

Also fixes a bug in token.js where non-existent memoryStorage.clients
was called instead of db.Client.
…ffinity

Add USE_KUBERNETES_CRONJOBS env var to disable in-process cron scheduling
and offload to a dedicated K8s CronJob that runs every configurable N
minutes, executing any application crons due within that window.

Add configurable pod anti-affinity (preferred/required) scoped to the
current namespace to spread replicas across nodes.
Move podAntiAffinity config from api-specific to global.podAntiAffinity
with enabled/mode settings. Add reusable helper template and apply to
all 5 deployments (api, admin, auth, cms, image). Each deployment uses
its own app label, scoped to the current namespace.
Replace build-time plugin imports with runtime loading via IIFE bundles.
Plugins are now served by the api-server and loaded via <script> tags,
enabling add/remove without rebuilding Docker images.

- Convert plugin-loader to TypeScript with manifest validation
- Add API endpoints: GET /registry, POST /reload (auth-protected), GET /bundle
- Add PluginComponentLoader React component for runtime bundle loading
- Simplify next.config.js by removing ~190 lines of build-time plugin code
- Extract plugin loading from Server.js into plugin-loader-init.js
- Remove plugin volume mounts from docker-compose.yml (moved to override)
- Remove metkoos as build-time dependency (runtime-only now)
- Add path traversal protection and Content-Type headers on bundle endpoint
- Reset plugins.json to empty default (deployment-specific config)
Add global.autoscaling values with per-service overrides for HPA
configuration including stabilizationWindowSeconds (cooldown) and
scaling policies. When autoscaling is enabled, replicas are omitted
from Deployments so the HPA manages pod count.
- Add PLUGIN_JSON_OVERRIDE env var support to plugin-loader for K8s ConfigMap injection
- Extract _loadEntries() method to avoid duplication between env var and file-based loading
- Add Helm plugins section (values.yaml) with enabled, nodeImage, installPath, npmrcSecret, items
- Add plugins-configmap.yaml template rendering plugin config as ConfigMap
- Add init container to API and Admin deployments that npm installs plugins into shared volume
- Add NODE_PATH + PLUGIN_JSON_OVERRIDE env vars to API/Admin containers and init-db-ready
- Support version pinning per plugin and private registries via npmrc secret
- Add explicit plugin-loader tsc build step in Dockerfile builder stage
- Ship plugin-loader dist/ in git (removed from .gitignore)
- Add 4 new tests for PLUGIN_JSON_OVERRIDE (41 total, all passing)
feat(plugins): runtime IIFE loading with API endpoints
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.8 to 5.5.7.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.3.8...v5.5.7)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.5.7
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants