ASolarers-Rodriguez opened a new pull request, #40118: URL: https://github.com/apache/superset/pull/40118
### SUMMARY Add npm override to force `fast-xml-parser` to `^5.8.0`, replacing vulnerable 4.5.5 resolved by `@loaders.gl/xml` (`^4.2.5`) and `geostyler-wfs-parser` (`^4.4.0`). No fix exists in the 4.x line (4.5.6 is the last release), so an override to 5.x is required. **CVEs addressed:** - **CVE-2026-33036** — XML Entity Expansion - **CVE-2026-33349** — Improper Validation of Specified Quantity in Input ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF Not applicable — dependency-only change. ### TESTING INSTRUCTIONS 1. Run `npm install` in `superset-frontend/` — should complete without errors 2. Verify `fast-xml-parser` resolves to 5.8.0: `npm ls fast-xml-parser` 3. Run frontend tests: `npm run test` 4. Verify no regressions in components using XML parsing (GeoStyler/deck.gl layers) ### ADDITIONAL INFORMATION - [x] Has associated issue: CVE-2026-33036, CVE-2026-33349 - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
