fix(rss): unpin fast-xml-parser to resolve entity expansion CVEs (#16037)

blimmer · web-flow · commit fdd2c5a2f0eb · 2026-03-23T06:49:00.000Z
diff --git a/.changeset/unpin-fast-xml-parser.md b/.changeset/unpin-fast-xml-parser.md
@@ -0,0 +1,5 @@
+---
+'@astrojs/rss': patch
+---
+
+Unpin `fast-xml-parser` to `^5.5.7` to resolve entity expansion CVEs
diff --git a/packages/astro-rss/package.json b/packages/astro-rss/package.json
@@ -32,7 +32,7 @@
     "xml2js": "0.6.2"
   },
   "dependencies": {
-    "fast-xml-parser": "5.4.1",
+    "fast-xml-parser": "^5.5.7",
     "piccolore": "^0.1.3",
     "zod": "^4.3.6"
   }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@astrojs/rss': patch
 +---
++
 +Unpin `fast-xml-parser` to `^5.5.7` to resolve entity expansion CVEs