Skip to content

deps: update fast-xml-parser and markdown-it#52541

Merged
vincentkoc merged 3 commits intomainfrom
vincentkoc-code/deps-fast-xml-parser-markdown-it
Mar 23, 2026
Merged

deps: update fast-xml-parser and markdown-it#52541
vincentkoc merged 3 commits intomainfrom
vincentkoc-code/deps-fast-xml-parser-markdown-it

Conversation

@vincentkoc
Copy link
Copy Markdown
Member

@vincentkoc vincentkoc commented Mar 23, 2026
edited
Loading

Summary

Describe the problem and fix in 2–5 bullets:

  • Problem: Dependabot flags fast-xml-parser 5.5.6 (entity limit bypass when set to 0).
  • Why it matters: Need >=5.5.7 to ensure entity limits honor explicit 0 values.
  • What changed: bump pnpm override for fast-xml-parser to 5.5.7; format 8 test files (repo formatting drift).
  • What did NOT change (scope boundary): No runtime logic changes beyond dependency override and formatting only.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor required for the fix
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

  • Closes #
  • Related #

User-visible / Behavior Changes

None.

Security Impact (required)

  • New permissions/capabilities? (No)
  • Secrets/tokens handling changed? (No)
  • New/changed network calls? (No)
  • Command/tool execution surface changed? (No)
  • Data access scope changed? (No)
  • If any Yes, explain risk + mitigation:

Repro + Verification

Environment

  • OS: macOS
  • Runtime/container: local
  • Model/provider: N/A
  • Integration/channel (if any): N/A
  • Relevant config (redacted): N/A

Steps

  1. Pre-commit hook ran pnpm check on commit.

Expected

  • Checks pass.

Actual

  • Checks passed.

Evidence

Attach at least one:

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

  • Verified scenarios: Pre-commit pnpm check (format/lint/tsgo + repo script checks).
  • Edge cases checked: None (dependency override + formatting only).
  • What you did not verify: pnpm test, runtime behavior.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes)
  • Config/env changes? (No)
  • Migration needed? (No)
  • If yes, exact upgrade steps:

Failure Recovery (if this breaks)

  • How to disable/revert this change quickly: revert this PR.
  • Files/config to restore: package.json, pnpm-lock.yaml
  • Known bad symptoms reviewers should watch for: dependency resolution failures.

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

  • Risk: Dependency regression from fast-xml-parser bump.
    • Mitigation: Patch bump via override only.

AI Assistance

  • AI-assisted: Yes (this description satisfies the “mark as AI-assisted” requirement).
  • Mark as AI-assisted in the PR title or description
  • Note the degree of testing (pre-commit pnpm check; no tests)
  • Include prompts or session logs if possible
  • Confirm you understand what the code does
  • Attempted codex review --base origin/main (failed: local MCP client connection refused)

@openclaw-barnacle openclaw-barnacle bot added channel: matrix Channel integration: matrix size: S maintainer Maintainer-authored PR labels Mar 23, 2026
@vincentkoc vincentkoc marked this pull request as ready for review March 23, 2026 00:43
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 23, 2026

Greptile Summary

This PR aims to apply a targeted security fix by bumping the fast-xml-parser override from 5.5.65.5.7 (CVE: entity-limit bypass when set to 0) and adding it as a direct dependency. The fast-xml-parser change itself is correct and appropriate.

However, the diff against the specified base branch reveals two blocking concerns:

  • Lockfile out of sync with package.json: pnpm-lock.yaml still records file-type: 21.3.4 and tar: 7.5.12 in its overrides and importer sections, while package.json now specifies 21.3.3 and 7.5.11 respectively. pnpm install --frozen-lockfile will fail in CI until the lockfile is regenerated.

  • Stale base / large unintended diff: The package version fields roll back from 2026.3.222026.3.14, and the diff includes removal of four plugin-sdk export entries (outbound-runtime, param-readers, channel-status, slack-targets), removal of several CI check steps (check:base-config-schema, check:bundled-plugin-metadata, check:no-conflict-markers), significant dependency downgrades (uuid v13 → v11, matrix-js-sdk 41.2.0-rc.0 → ^40.1.0, and several others), and deletion of scripts like plugin-sdk:api:check and config:schema:check. These are almost certainly artifacts of the branch being created from an older commit of main rather than the current HEAD. Rebasing against current main is required before this can safely merge.

Confidence Score: 2/5

  • Not safe to merge until the PR is rebased onto current main and the lockfile is regenerated to match package.json.
  • The intended fast-xml-parser security fix is correct, but the PR is based on a stale branch that diverges significantly from current main — it would revert plugin-SDK exports, CI checks, and several accepted dependency upgrades. Additionally, the lockfile is out of sync with package.json for file-type and tar, which will break frozen-lockfile CI. Both issues must be resolved before merge.
  • pnpm-lock.yaml (lockfile/package.json mismatch) and package.json / extensions/matrix/package.json (stale-base scope creep).
Prompt To Fix All With AI 
This is a comment left during a code review.
Path: pnpm-lock.yaml
Line: 13

Comment:
**Lockfile/package.json mismatch for `file-type`**

`pnpm-lock.yaml` still pins `file-type` to `21.3.4` in the overrides section (and in the importers specifier on line 102), but `package.json` now specifies `"file-type": "21.3.3"` in both `dependencies` (line 722) and `pnpm.overrides` (line 791). This mismatch will cause `pnpm install --frozen-lockfile` to fail in CI.

The same inconsistency exists for `tar`: the lockfile overrides section (line 19) still shows `tar: 7.5.12` while `package.json` specifies `"tar": "7.5.11"` in both `dependencies` (line 739) and `pnpm.overrides` (line 797).

Running `pnpm install` again after the `package.json` edits should regenerate the lockfile to bring it in sync.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: package.json
Line: 1-6

Comment:
**PR scope far exceeds stated changes — possible stale base**

The PR description states the scope is limited to bumping `fast-xml-parser` (5.5.6 → 5.5.7) and `markdown-it` (already at 14.1.1 in the diff base, so effectively a no-op). However, the diff against `main` includes many additional unrelated changes:

- **Version regression**: `package.json` and `extensions/matrix/package.json` versions roll back from `2026.3.22``2026.3.14`/`2026.3.11`, which strongly suggests this branch was created from an older commit of `main`.
- **uuid major downgrade**: `^13.0.0``^11.1.0` (two major versions back).
- **matrix-js-sdk downgrade**: `41.2.0-rc.0``^40.1.0` (back to a previous major stable).
- **Removed plugin-SDK exports**: `./plugin-sdk/outbound-runtime`, `./plugin-sdk/param-readers`, `./plugin-sdk/channel-status`, `./plugin-sdk/slack-targets` are removed — a breaking API surface change.
- **Weakened CI checks**: `check:base-config-schema`, `check:bundled-plugin-metadata`, and `check:no-conflict-markers` are dropped from the `check` script.
- **Removed scripts**: `plugin-sdk:api:check`, `plugin-sdk:api:gen`, `config:schema:check`, `config:schema:gen`.

If this branch was created from an older commit and `main` has moved forward, a rebase/merge against current `main` is needed before merging to avoid inadvertently reverting several weeks of accepted changes.

How can I resolve this? If you propose a fix, please make it concise.

Reviews (1): Last reviewed commit: "Merge branch 'main' into vincentkoc-code..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps bot reviewed Mar 23, 2026
View reviewed changes
pnpm-lock.yaml
fast-xml-parser: 5.5.7
request: npm:@cypress/[email protected]
request-promise: npm:@cypress/[email protected]
file-type: 21.3.4
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Lockfile/package.json mismatch for file-type

pnpm-lock.yaml still pins file-type to 21.3.4 in the overrides section (and in the importers specifier on line 102), but package.json now specifies "file-type": "21.3.3" in both dependencies (line 722) and pnpm.overrides (line 791). This mismatch will cause pnpm install --frozen-lockfile to fail in CI.

The same inconsistency exists for tar: the lockfile overrides section (line 19) still shows tar: 7.5.12 while package.json specifies "tar": "7.5.11" in both dependencies (line 739) and pnpm.overrides (line 797).

Running pnpm install again after the package.json edits should regenerate the lockfile to bring it in sync.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: pnpm-lock.yaml
Line: 13

Comment:
**Lockfile/package.json mismatch for `file-type`**

`pnpm-lock.yaml` still pins `file-type` to `21.3.4` in the overrides section (and in the importers specifier on line 102), but `package.json` now specifies `"file-type": "21.3.3"` in both `dependencies` (line 722) and `pnpm.overrides` (line 791). This mismatch will cause `pnpm install --frozen-lockfile` to fail in CI.

The same inconsistency exists for `tar`: the lockfile overrides section (line 19) still shows `tar: 7.5.12` while `package.json` specifies `"tar": "7.5.11"` in both `dependencies` (line 739) and `pnpm.overrides` (line 797).

Running `pnpm install` again after the `package.json` edits should regenerate the lockfile to bring it in sync.

How can I resolve this? If you propose a fix, please make it concise.

package.json
Comment on lines 1 to 6
{
"name": "openclaw",
"version": "2026.3.22",
"version": "2026.3.14",
"description": "Multi-channel AI gateway with extensible messaging integrations",
"keywords": [],
"homepage": "https://github.com/openclaw/openclaw#readme",
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 PR scope far exceeds stated changes — possible stale base

The PR description states the scope is limited to bumping fast-xml-parser (5.5.6 → 5.5.7) and markdown-it (already at 14.1.1 in the diff base, so effectively a no-op). However, the diff against main includes many additional unrelated changes:

  • Version regression: package.json and extensions/matrix/package.json versions roll back from 2026.3.222026.3.14/2026.3.11, which strongly suggests this branch was created from an older commit of main.
  • uuid major downgrade: ^13.0.0^11.1.0 (two major versions back).
  • matrix-js-sdk downgrade: 41.2.0-rc.0^40.1.0 (back to a previous major stable).
  • Removed plugin-SDK exports: ./plugin-sdk/outbound-runtime, ./plugin-sdk/param-readers, ./plugin-sdk/channel-status, ./plugin-sdk/slack-targets are removed — a breaking API surface change.
  • Weakened CI checks: check:base-config-schema, check:bundled-plugin-metadata, and check:no-conflict-markers are dropped from the check script.
  • Removed scripts: plugin-sdk:api:check, plugin-sdk:api:gen, config:schema:check, config:schema:gen.

If this branch was created from an older commit and main has moved forward, a rebase/merge against current main is needed before merging to avoid inadvertently reverting several weeks of accepted changes.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: package.json
Line: 1-6

Comment:
**PR scope far exceeds stated changes — possible stale base**

The PR description states the scope is limited to bumping `fast-xml-parser` (5.5.6 → 5.5.7) and `markdown-it` (already at 14.1.1 in the diff base, so effectively a no-op). However, the diff against `main` includes many additional unrelated changes:

- **Version regression**: `package.json` and `extensions/matrix/package.json` versions roll back from `2026.3.22``2026.3.14`/`2026.3.11`, which strongly suggests this branch was created from an older commit of `main`.
- **uuid major downgrade**: `^13.0.0``^11.1.0` (two major versions back).
- **matrix-js-sdk downgrade**: `41.2.0-rc.0``^40.1.0` (back to a previous major stable).
- **Removed plugin-SDK exports**: `./plugin-sdk/outbound-runtime`, `./plugin-sdk/param-readers`, `./plugin-sdk/channel-status`, `./plugin-sdk/slack-targets` are removed — a breaking API surface change.
- **Weakened CI checks**: `check:base-config-schema`, `check:bundled-plugin-metadata`, and `check:no-conflict-markers` are dropped from the `check` script.
- **Removed scripts**: `plugin-sdk:api:check`, `plugin-sdk:api:gen`, `config:schema:check`, `config:schema:gen`.

If this branch was created from an older commit and `main` has moved forward, a rebase/merge against current `main` is needed before merging to avoid inadvertently reverting several weeks of accepted changes.

How can I resolve this? If you propose a fix, please make it concise.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a32140ca65

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

package.json Outdated
"request": "npm:@cypress/[email protected]",
"request-promise": "npm:@cypress/[email protected]",
"file-type": "21.3.4",
"file-type": "21.3.3",
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P0 Badge Sync lockfile overrides with package overrides

This change updates pnpm.overrides in package.json (for example file-type and tar) without updating the corresponding overrides values in pnpm-lock.yaml, so the manifest and lockfile no longer describe the same dependency graph. In this state, fresh installs with the default CI behavior (pnpm install --frozen-lockfile) fail with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH, which blocks clean CI and reproducible installs.

Useful? React with 👍 / 👎.

package.json
Comment on lines 117 to 120
"types": "./dist/plugin-sdk/interactive-runtime.d.ts",
"default": "./dist/plugin-sdk/interactive-runtime.js"
},
"./plugin-sdk/outbound-runtime": {
"types": "./dist/plugin-sdk/outbound-runtime.d.ts",
"default": "./dist/plugin-sdk/outbound-runtime.js"
},
"./plugin-sdk/infra-runtime": {
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restore removed plugin-sdk subpath exports

The exports map drops ./plugin-sdk/outbound-runtime, ./plugin-sdk/param-readers, ./plugin-sdk/channel-status, and ./plugin-sdk/slack-targets even though these entrypoints still exist and are imported by bundled extensions (for example Slack, Matrix, and Discord code paths). That causes ERR_PACKAGE_PATH_NOT_EXPORTED for consumers of published packages and also puts package.json out of sync with the plugin SDK entrypoint list used by pnpm plugin-sdk:check-exports.

Useful? React with 👍 / 👎.

package.json Outdated
"protocol:gen": "node --import tsx scripts/protocol-gen.ts",
"protocol:gen:swift": "node --import tsx scripts/protocol-gen-swift.ts",
"release:check": "pnpm config:docs:check && pnpm plugin-sdk:api:check && node scripts/stage-bundled-plugin-runtime-deps.mjs && node --import tsx scripts/release-check.ts",
"release:check": "pnpm config:docs:check && node scripts/stage-bundled-plugin-runtime-deps.mjs && node --import tsx scripts/release-check.ts",
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep Plugin SDK API drift gate in release check

Removing pnpm plugin-sdk:api:check from release:check weakens the release gate by no longer verifying Plugin SDK API baseline drift before release packaging. This repo still has CI workflow steps dedicated to that drift check, so dropping it here creates inconsistent gating and increases the chance of shipping unreviewed SDK surface changes when release:check is run as the release preflight.

Useful? React with 👍 / 👎.

@vincentkoc vincentkoc force-pushed the vincentkoc-code/deps-fast-xml-parser-markdown-it branch from a32140c to 44a1a06 Compare March 23, 2026 00:54
@openclaw-barnacle openclaw-barnacle bot added channel: discord Channel integration: discord channel: mattermost Channel integration: mattermost channel: nextcloud-talk Channel integration: nextcloud-talk channel: telegram Channel integration: telegram extensions: tavily size: XS and removed channel: matrix Channel integration: matrix size: S labels Mar 23, 2026
@vincentkoc vincentkoc merged commit a61e5d1 into main Mar 23, 2026
7 checks passed
@vincentkoc vincentkoc deleted the vincentkoc-code/deps-fast-xml-parser-markdown-it branch March 23, 2026 00:55
@github-actions github-actions bot mentioned this pull request Mar 23, 2026
Open
frankekn pushed a commit to artwalker/openclaw that referenced this pull request Mar 23, 2026
@vincentkoc @frankekn
deps: update fast-xml-parser and markdown-it (openclaw#52541)
b83cffe 
* style: format test files

* deps: bump fast-xml-parser override
@alexey-pelykh alexey-pelykh mentioned this pull request Mar 23, 2026
Open
furaul pushed a commit to furaul/openclaw that referenced this pull request Mar 24, 2026
@vincentkoc @furaul
deps: update fast-xml-parser and markdown-it (openclaw#52541)
9416f72 
* style: format test files

* deps: bump fast-xml-parser override
npmisantosh pushed a commit to npmisantosh/openclaw that referenced this pull request Mar 25, 2026
@vincentkoc
deps: update fast-xml-parser and markdown-it (openclaw#52541)
e2ca962 
* style: format test files

* deps: bump fast-xml-parser override
alexey-pelykh pushed a commit to remoteclaw/remoteclaw that referenced this pull request Mar 28, 2026
@vincentkoc @alexey-pelykh
deps: update fast-xml-parser and markdown-it (openclaw#52541)
d0f5ec0 
* style: format test files

* deps: bump fast-xml-parser override

(cherry picked from commit a61e5d1)

# Conflicts:
#	extensions/discord/src/monitor/monitor.threading-utils.test.ts
#	extensions/mattermost/src/mattermost/target-resolution.test.ts
#	extensions/microsoft/speech-provider.test.ts
#	extensions/nextcloud-talk/src/room-info.test.ts
#	extensions/tavily/src/tavily-client.test.ts
#	package.json
#	pnpm-lock.yaml
#	src/tts/provider-registry.test.ts
alexey-pelykh pushed a commit to remoteclaw/remoteclaw that referenced this pull request Mar 28, 2026
@vincentkoc @alexey-pelykh
deps: update fast-xml-parser and markdown-it (openclaw#52541)
8c6b70f 
* style: format test files

* deps: bump fast-xml-parser override

(cherry picked from commit a61e5d1)

# Conflicts:
#	extensions/discord/src/monitor/monitor.threading-utils.test.ts
#	extensions/mattermost/src/mattermost/target-resolution.test.ts
#	extensions/nextcloud-talk/src/room-info.test.ts
#	extensions/tavily/src/tavily-client.test.ts
#	src/tts/provider-registry.test.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

channel: discord Channel integration: discord channel: mattermost Channel integration: mattermost channel: nextcloud-talk Channel integration: nextcloud-talk channel: telegram Channel integration: telegram extensions: tavily maintainer Maintainer-authored PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vincentkoc