From c89849f398c11d43b7aa6c3a69ae183c12bfcc9a Mon Sep 17 00:00:00 2001
From: jrphilo <james.philo@me.com>
Date: Wed, 13 May 2026 09:35:30 -0400
Subject: [PATCH] chore(deps): override fast-xml-builder to ^1.1.7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Clears two Dependabot alerts on transitive fast-xml-builder (via
@opennextjs/cloudflare → @aws-sdk → fast-xml-parser → fast-xml-builder).
Both patched at 1.1.7 (1.1.6 fixes one).

- GHSA-5wm8-gmm8-39j9 (CVE-2026-44665): attribute values bypass via
  unwanted quotes (patched 1.1.7)
- GHSA-45c6-75p6-83cc (CVE-2026-44664): comment-value regex bypass
  (patched 1.1.6)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 package.json   |  1 +
 pnpm-lock.yaml | 16 ++++++++++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/package.json b/package.json
index 79e6789..85b553b 100644
--- a/package.json
+++ b/package.json
@@ -67,6 +67,7 @@
   },
   "pnpm": {
     "overrides": {
+      "fast-xml-builder": "^1.1.7",
       "fast-xml-parser": ">=5.7.0",
       "postcss": "^8.5.10"
     }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 539caa7..de2d889 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -5,6 +5,7 @@ settings:
   excludeLinksFromLockfile: false
 
 overrides:
+  fast-xml-builder: ^1.1.7
   fast-xml-parser: '>=5.7.0'
   postcss: ^8.5.10
 
@@ -2804,8 +2805,8 @@ packages:
   fast-levenshtein@2.0.6:
     resolution: {integrity: sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==}
 
-  fast-xml-builder@1.1.5:
-    resolution: {integrity: sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==}
+  fast-xml-builder@1.2.0:
+    resolution: {integrity: sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==}
 
   fast-xml-parser@5.7.1:
     resolution: {integrity: sha512-8Cc3f8GUGUULg34pBch/KGyPLglS+OFs05deyOlY7fL2MTagYPKrVQNmR1fLF/yJ9PH5ZSTd3YDF6pnmeZU+zA==}
@@ -4291,6 +4292,10 @@ packages:
       utf-8-validate:
         optional: true
 
+  xml-naming@0.1.0:
+    resolution: {integrity: sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==}
+    engines: {node: '>=16.0.0'}
+
   y18n@5.0.8:
     resolution: {integrity: sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==}
     engines: {node: '>=10'}
@@ -7570,14 +7575,15 @@ snapshots:
 
   fast-levenshtein@2.0.6: {}
 
-  fast-xml-builder@1.1.5:
+  fast-xml-builder@1.2.0:
     dependencies:
       path-expression-matcher: 1.5.0
+      xml-naming: 0.1.0
 
   fast-xml-parser@5.7.1:
     dependencies:
       '@nodable/entities': 2.1.0
-      fast-xml-builder: 1.1.5
+      fast-xml-builder: 1.2.0
       path-expression-matcher: 1.5.0
       strnum: 2.2.3
 
@@ -9197,6 +9203,8 @@ snapshots:
 
   ws@8.18.0: {}
 
+  xml-naming@0.1.0: {}
+
   y18n@5.0.8: {}
 
   yaml@2.8.3: {}