chore(deps): update dependency fast-xml-parser to v5.3.8 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
fast-xml-parser	5.3.7 → 5.3.8

GitHub Vulnerability Alerts

CVE-2026-27942

Impact

Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input:

[{
    'foo': [
        { 'bar': [{ '@​_V': 'baz' }] }
    ]
}]

Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content.
What kind of vulnerability is it? Who is impacted?

Patches

Yes, in 5.3.8 and 4.5.4.

Workarounds

Use XML builder with preserveOrder:false or check the input data before passing to builder.

---

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v5.3.8: handle non-array input for XML builder && support maxNestedTags

Compare Source

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies
  Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.7...v5.3.8

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.