Skip to content

chore(deps): override fast-xml-builder to 1.1.7+ (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc)#53

Closed
jrphilo wants to merge 1 commit into
mainfrom
chore/security-fast-xml-builder-5wm8
Closed

chore(deps): override fast-xml-builder to 1.1.7+ (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc)#53
jrphilo wants to merge 1 commit into
mainfrom
chore/security-fast-xml-builder-5wm8

Conversation

@jrphilo
Copy link
Copy Markdown
Collaborator

@jrphilo jrphilo commented May 13, 2026

Summary

docs@0.1.0
└─┬ @opennextjs/cloudflare 1.19.2
  └─┬ @opennextjs/aws 3.10.2
    └─┬ @aws-sdk/client-cloudfront 3.984.0
      └─┬ @aws-sdk/core 3.974.2
        └─┬ @aws-sdk/xml-builder 3.972.18
          └─┬ fast-xml-parser 5.7.1
            └── fast-xml-builder 1.1.5 → 1.2.0 (post-override)
  • Exposure: fast-xml-builder is reached only through the AWS SDK's CloudFront client, which is itself pulled in by the @opennextjs/cloudflare build/deploy tooling. We do not directly serialize attacker-controlled data to XML. Both advisories describe attacker-controlled values that bypass filtering when building XML — not applicable to our deploy path. Bumping is still the correct deterministic fix.

Test plan

  • pnpm install succeeds; lockfile updated
  • pnpm why fast-xml-builder reports 1.2.0 (>= 1.1.7 patched floor)
  • CI green (lint + build + check:links)

AI-assistance disclosure: this PR was drafted by an AI agent (Claude / Ralphie) as part of the docs repo dependency-triage loop. The change is mechanical (a pnpm.overrides entry) and the exposure note is grounded in repo grep + advisory text. A maintainer should still skim the diff before merging.

@jrphilo @claude
chore(deps): override fast-xml-builder to ^1.1.7
c89849f 
Clears two Dependabot alerts on transitive fast-xml-builder (via
@opennextjs/cloudflare → @aws-sdk → fast-xml-parser → fast-xml-builder).
Both patched at 1.1.7 (1.1.6 fixes one).

- GHSA-5wm8-gmm8-39j9 (CVE-2026-44665): attribute values bypass via
  unwanted quotes (patched 1.1.7)
- GHSA-45c6-75p6-83cc (CVE-2026-44664): comment-value regex bypass
  (patched 1.1.6)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@jrphilo jrphilo added dependencies Pull requests that update a dependency file security Security-related changes (Dependabot alert sweeps, advisories) labels May 13, 2026
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 13, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 docs-preview c89849f Commit Preview URL

Branch Preview URL		 May 13 2026, 01:39 PM

@jrphilo
Copy link
Copy Markdown
Collaborator Author

jrphilo commented May 13, 2026

Ralphie verified this — ready to merge.

Verification

  • lint: ✓ (one pre-existing <img> warning in src/components/Logo.tsx, unrelated)
  • build: ✓ (Next.js type-check + bundle)
  • check:links: ✓ (39 files, 3 internal links, 0 broken)

Changelog highlights

Investigation

  • Ownership: same maintainer (NaturalIntelligence org, publisher of both fast-xml-parser and fast-xml-builder).
  • Auth/secrets: none — the override is a pnpm.overrides floor bump on a transitive dep, no auth/token-handling code on either side.
  • Security advisory: both GHSAs are the reason for the PR — investigated → both describe attacker-controlled values fed into XML attribute/comment serialization. Repo grep for fast-xml-builder in src/ returned no matches; the only path into the tree is @opennextjs/cloudflare → AWS SDK CloudFront/S3 clients (build/deploy tooling), which doesn't serialize attacker-controlled data. Override resolves to 1.2.0 (≥ both patched floors) per pnpm why.
  • Deprecations: none we'd hit.
  • Breaking API: none — transitive override floor, no direct caller in this repo.

Recommendation

Mechanical pnpm.overrides floor bump to clear two open Dependabot alerts. Lockfile already resolves to 1.2.0, build/lint/links all green, no direct usage in our code. Safe to merge.

@jrphilo jrphilo added the ralphie:ready-to-merge Ralphie verified; maintainer to merge label May 13, 2026
This was referenced May 13, 2026
Merged
Closed
@jrphilo
Copy link
Copy Markdown
Collaborator Author

jrphilo commented May 13, 2026

Closing — superseded by #57, which batches this override with the protobufjs override (#52) onto current main to avoid a rebase cascade after the recent merge wave.

@jrphilo jrphilo closed this May 13, 2026
jrphilo added a commit that referenced this pull request May 13, 2026
@jrphilo @claude
chore(deps): batch security overrides for protobufjs + fast-xml-builder
ce354ba 
Combines #52 and #53 into a single PR off main, avoiding the
rebase cascade after #44/#42/#54/#55 churn. Both are mechanical
pnpm.overrides additions:

- protobufjs ^7.5.6 — clears alerts #7-14
  (GHSA-q6x5-8v7m-xcrf, GHSA-jvwf-75h9-cwgg, GHSA-75px-5xx7-5xc7,
   GHSA-fx83-v9x8-x52w, GHSA-2pr8-phx7-x9h3, GHSA-66ff-xgx4-vchm,
   GHSA-685m-2w69-288q). Reached via posthog-js OTLP exporter;
   not directly imported by our app.

- fast-xml-builder ^1.1.7 — clears alerts #3, #4
  (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc). Reached via
   @opennextjs/cloudflare → AWS SDK build/deploy tooling; not
   directly used.

Replaces #52, #53.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jrphilo added a commit that referenced this pull request May 13, 2026
@jrphilo @claude
chore(deps): batch security overrides for protobufjs + fast-xml-build…
1d77906 
…er (#57)

Combines #52 and #53 into a single PR off main, avoiding the
rebase cascade after #44/#42/#54/#55 churn. Both are mechanical
pnpm.overrides additions:

- protobufjs ^7.5.6 — clears alerts #7-14
  (GHSA-q6x5-8v7m-xcrf, GHSA-jvwf-75h9-cwgg, GHSA-75px-5xx7-5xc7,
   GHSA-fx83-v9x8-x52w, GHSA-2pr8-phx7-x9h3, GHSA-66ff-xgx4-vchm,
   GHSA-685m-2w69-288q). Reached via posthog-js OTLP exporter;
   not directly imported by our app.

- fast-xml-builder ^1.1.7 — clears alerts #3, #4
  (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc). Reached via
   @opennextjs/cloudflare → AWS SDK build/deploy tooling; not
   directly used.

Replaces #52, #53.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jrphilo added a commit that referenced this pull request May 13, 2026
@jrphilo @claude
chore(.dev): add Phase 3 batch step to consolidate ready-to-merge wav…
503caf4 
…es (#59)

Adds PROMPT_dependency_batch.md and a Phase 3 invocation to
dependency.sh. After Phase 2 drains, if ≥2 PRs are
ralphie:ready-to-merge AND share at least one touched file path
(in practice always pnpm-lock.yaml), Phase 3 opens a single batch
PR off fresh origin/main that combines their package.json edits,
regenerates the lockfile once, verifies the combined diff
(lint/build/check:links), and closes the constituents with
ralphie:replaced-by-newer-pr.

Motivates: today's wave required manually batching #52 and #53
after merge-cascade conflicts. Same pattern will repeat weekly
per the Dependabot schedule; this automates it.

New flags:
- --batch-only: skip Phase 1+2, batch the current ready set.
- --no-batch:   skip Phase 3 entirely.

dependency-rules.md gains a Phase 3 section: eligibility gates
(≥2 ready, ≥1 file overlap), batchable edit shapes
(pnpm.overrides, dependencies versions, same-package version
conflicts take the higher), verification recipe, outcomes table,
batch PR body shape, and constituent comment shapes.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ralphie:ready-to-merge Ralphie verified; maintainer to merge security Security-related changes (Dependabot alert sweeps, advisories)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrphilo