You're Invited:Meet the Socket Team at RSAC and BSidesSF 2026, March 23–26.RSVP
Socket
Book a DemoSign in
Socket
Book a DemoSign in

fast-xml-parser

Package Overview
Dependencies
Maintainers
1
Versions
181
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

fast-xml-parser - npm Package Compare versions

Comparing version
5.5.8
 to
5.5.9
+16
-0
CHANGELOG.md

@@ -5,2 +5,18 @@ <small>Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.</small>

**5.5.9 / 2026-03-23**
- combine typing files
**4.5.5 / 2026-03-22**
apply fixes from v5 (legacy maintenance branch v4-maintenance)
- support maxEntityCount
- support onDangerousProperty
- support maxNestedTags
- handle prototype pollution
- fix incorrect entity name replacement
- fix incorrect condition for entity expansion
**5.5.8 / 2026-03-20**

@@ -7,0 +23,0 @@ - pass read only matcher in callback

+143
-3
lib/fxp.d.cts

@@ -1,5 +0,145 @@

import type pem = require('./pem');
type Expression = pem.Expression;
type ReadonlyMatcher = pem.ReadonlyMatcher;
/**
* Types copied from path-expression-matcher
* @version <version>
* @updated <date>
*
* Update this file when path-expression-matcher releases a new version.
* Source: https://github.com/NaturalIntelligence/path-expression-matcher
*/
/**
* Options for creating an Expression
*/
interface ExpressionOptions {
/**
* Path separator character
* @default '.'
*/
separator?: string;
}
/**
* Parsed segment from an expression pattern
*/
interface Segment {
type: 'tag' | 'deep-wildcard';
tag?: string;
namespace?: string;
attrName?: string;
attrValue?: string;
position?: 'first' | 'last' | 'odd' | 'even' | 'nth';
positionValue?: number;
}
/**
* Expression - Parses and stores a tag pattern expression.
* Patterns are parsed once and stored in an optimized structure for fast matching.
*
* @example
* ```typescript
* const expr = new Expression("root.users.user");
* const expr2 = new Expression("..user[id]:first");
* const expr3 = new Expression("root/users/user", { separator: '/' });
* ```
*
* Pattern Syntax:
* - `root.users.user` — Match exact path
* - `..user` — Match "user" at any depth (deep wildcard)
* - `user[id]` — Match user tag with "id" attribute
* - `user[id=123]` — Match user tag where id="123"
* - `user:first` — Match first occurrence of user tag
* - `ns::user` — Match user tag with namespace "ns"
* - `ns::user[id]:first` — Combine namespace, attribute, and position
*/
declare class Expression {
readonly pattern: string;
readonly separator: string;
readonly segments: Segment[];
constructor(pattern: string, options?: ExpressionOptions);
get length(): number;
hasDeepWildcard(): boolean;
hasAttributeCondition(): boolean;
hasPositionSelector(): boolean;
toString(): string;
}
// ---------------------------------------------------------------------------
// ReadonlyMatcher
// ---------------------------------------------------------------------------
/**
* A live read-only view of a Matcher instance, returned by Matcher.readOnly().
*
* All query and inspection methods work normally and always reflect the current
* state of the underlying matcher. State-mutating methods (`push`, `pop`,
* `reset`, `updateCurrent`, `restore`) are not present — calling them on the
* underlying Proxy throws a `TypeError` at runtime.
*
* This is the type received by all FXP user callbacks when `jPath: false`.
*/
interface ReadonlyMatcher {
readonly separator: string;
/** Check if current path matches an Expression. */
matches(expression: Expression): boolean;
/** Get current tag name, or `undefined` if path is empty. */
getCurrentTag(): string | undefined;
/** Get current namespace, or `undefined` if not present. */
getCurrentNamespace(): string | undefined;
/** Get attribute value of the current node. */
getAttrValue(attrName: string): any;
/** Check if the current node has a given attribute. */
hasAttr(attrName: string): boolean;
/** Sibling position of the current node (child index in parent). */
getPosition(): number;
/** Occurrence counter of the current tag name at this level. */
getCounter(): number;
/** Number of nodes in the current path. */
getDepth(): number;
/** Current path as a string (e.g. `"root.users.user"`). */
toString(separator?: string, includeNamespace?: boolean): string;
/** Current path as an array of tag names. */
toArray(): string[];
/**
* Create a snapshot of the current state.
* The snapshot can be passed to the real Matcher.restore() if needed.
*/
snapshot(): MatcherSnapshot;
}
/** Internal node structure — exposed via snapshot only. */
interface PathNode {
tag: string;
namespace?: string;
position: number;
counter: number;
values?: Record<string, any>;
}
/** Snapshot of matcher state returned by `snapshot()` and `readOnly().snapshot()`. */
interface MatcherSnapshot {
path: PathNode[];
siblingStacks: Map<string, number>[];
}
/**********************************************************************
*
* END of path-expression-matcher relevant typings
*
**********************************************************************/
// jPath: true → string

@@ -6,0 +146,0 @@ // jPath: false → ReadonlyMatcher

+3
-3
package.json
{
"name": "fast-xml-parser",
"version": "5.5.8",
"version": "5.5.9",
"description": "Validate XML, Parse XML, Build XML without C/C++ based libraries",

@@ -92,4 +92,4 @@ "main": "./lib/fxp.cjs",

"path-expression-matcher": "^1.2.0",
"strnum": "^2.2.0"
"strnum": "^2.2.2"
}
}
}
+141
-1
src/fxp.d.ts

@@ -1,3 +0,143 @@

import type { Expression, ReadonlyMatcher } from './pem';
/**
* Types copied from path-expression-matcher
* @version <version>
* @updated <date>
*
* Update this file when path-expression-matcher releases a new version.
* Source: https://github.com/NaturalIntelligence/path-expression-matcher
*/
/**
* Options for creating an Expression
*/
export interface ExpressionOptions {
/**
* Path separator character
* @default '.'
*/
separator?: string;
}
/**
* Parsed segment from an expression pattern
*/
export interface Segment {
type: 'tag' | 'deep-wildcard';
tag?: string;
namespace?: string;
attrName?: string;
attrValue?: string;
position?: 'first' | 'last' | 'odd' | 'even' | 'nth';
positionValue?: number;
}
/**
* Expression - Parses and stores a tag pattern expression.
* Patterns are parsed once and stored in an optimized structure for fast matching.
*
* @example
* ```typescript
* const expr = new Expression("root.users.user");
* const expr2 = new Expression("..user[id]:first");
* const expr3 = new Expression("root/users/user", { separator: '/' });
* ```
*
* Pattern Syntax:
* - `root.users.user` — Match exact path
* - `..user` — Match "user" at any depth (deep wildcard)
* - `user[id]` — Match user tag with "id" attribute
* - `user[id=123]` — Match user tag where id="123"
* - `user:first` — Match first occurrence of user tag
* - `ns::user` — Match user tag with namespace "ns"
* - `ns::user[id]:first` — Combine namespace, attribute, and position
*/
export class Expression {
readonly pattern: string;
readonly separator: string;
readonly segments: Segment[];
constructor(pattern: string, options?: ExpressionOptions);
get length(): number;
hasDeepWildcard(): boolean;
hasAttributeCondition(): boolean;
hasPositionSelector(): boolean;
toString(): string;
}
// ---------------------------------------------------------------------------
// ReadonlyMatcher
// ---------------------------------------------------------------------------
/**
* A live read-only view of a Matcher instance, returned by Matcher.readOnly.
*
* All query and inspection methods work normally and always reflect the current
* state of the underlying matcher. State-mutating methods (`push`, `pop`,
* `reset`, `updateCurrent`, `restore`) are not present — calling them on the
* underlying Proxy throws a `TypeError` at runtime.
*
* This is the type received by all FXP user callbacks when `jPath: false`.
*/
export interface ReadonlyMatcher {
readonly separator: string;
/** Check if current path matches an Expression. */
matches(expression: Expression): boolean;
/** Get current tag name, or `undefined` if path is empty. */
getCurrentTag(): string | undefined;
/** Get current namespace, or `undefined` if not present. */
getCurrentNamespace(): string | undefined;
/** Get attribute value of the current node. */
getAttrValue(attrName: string): any;
/** Check if the current node has a given attribute. */
hasAttr(attrName: string): boolean;
/** Sibling position of the current node (child index in parent). */
getPosition(): number;
/** Occurrence counter of the current tag name at this level. */
getCounter(): number;
/** Number of nodes in the current path. */
getDepth(): number;
/** Current path as a string (e.g. `"root.users.user"`). */
toString(separator?: string, includeNamespace?: boolean): string;
/** Current path as an array of tag names. */
toArray(): string[];
/**
* Create a snapshot of the current state.
* The snapshot can be passed to the real Matcher.restore if needed.
*/
snapshot(): MatcherSnapshot;
}
/** Internal node structure — exposed via snapshot only. */
export interface PathNode {
tag: string;
namespace?: string;
position: number;
counter: number;
values?: Record<string, any>;
}
/** Snapshot of matcher state returned by `snapshot()` and `readOnly().snapshot()`. */
export interface MatcherSnapshot {
path: PathNode[];
siblingStacks: Map<string, number>[];
}
/**********************************************************************
*
* END of path-expression-matcher relevant typings
*
**********************************************************************/
// jPath: true → string

@@ -4,0 +144,0 @@ // jPath: false → ReadonlyMatcher

-148
lib/pem.d.cts
/**
* Types copied from path-expression-matcher
* @version <version>
* @updated <date>
*
* Update this file when path-expression-matcher releases a new version.
* Source: https://github.com/NaturalIntelligence/path-expression-matcher
*/
/**
* Options for creating an Expression
*/
interface ExpressionOptions {
/**
* Path separator character
* @default '.'
*/
separator?: string;
}
/**
* Parsed segment from an expression pattern
*/
interface Segment {
type: 'tag' | 'deep-wildcard';
tag?: string;
namespace?: string;
attrName?: string;
attrValue?: string;
position?: 'first' | 'last' | 'odd' | 'even' | 'nth';
positionValue?: number;
}
/**
* Expression - Parses and stores a tag pattern expression.
* Patterns are parsed once and stored in an optimized structure for fast matching.
*
* @example
* ```typescript
* const expr = new Expression("root.users.user");
* const expr2 = new Expression("..user[id]:first");
* const expr3 = new Expression("root/users/user", { separator: '/' });
* ```
*
* Pattern Syntax:
* - `root.users.user` — Match exact path
* - `..user` — Match "user" at any depth (deep wildcard)
* - `user[id]` — Match user tag with "id" attribute
* - `user[id=123]` — Match user tag where id="123"
* - `user:first` — Match first occurrence of user tag
* - `ns::user` — Match user tag with namespace "ns"
* - `ns::user[id]:first` — Combine namespace, attribute, and position
*/
declare class Expression {
readonly pattern: string;
readonly separator: string;
readonly segments: Segment[];
constructor(pattern: string, options?: ExpressionOptions);
get length(): number;
hasDeepWildcard(): boolean;
hasAttributeCondition(): boolean;
hasPositionSelector(): boolean;
toString(): string;
}
// ---------------------------------------------------------------------------
// ReadonlyMatcher
// ---------------------------------------------------------------------------
/**
* A live read-only view of a Matcher instance, returned by Matcher.readOnly().
*
* All query and inspection methods work normally and always reflect the current
* state of the underlying matcher. State-mutating methods (`push`, `pop`,
* `reset`, `updateCurrent`, `restore`) are not present — calling them on the
* underlying Proxy throws a `TypeError` at runtime.
*
* This is the type received by all FXP user callbacks when `jPath: false`.
*/
interface ReadonlyMatcher {
readonly separator: string;
/** Check if current path matches an Expression. */
matches(expression: Expression): boolean;
/** Get current tag name, or `undefined` if path is empty. */
getCurrentTag(): string | undefined;
/** Get current namespace, or `undefined` if not present. */
getCurrentNamespace(): string | undefined;
/** Get attribute value of the current node. */
getAttrValue(attrName: string): any;
/** Check if the current node has a given attribute. */
hasAttr(attrName: string): boolean;
/** Sibling position of the current node (child index in parent). */
getPosition(): number;
/** Occurrence counter of the current tag name at this level. */
getCounter(): number;
/** Number of nodes in the current path. */
getDepth(): number;
/** Current path as a string (e.g. `"root.users.user"`). */
toString(separator?: string, includeNamespace?: boolean): string;
/** Current path as an array of tag names. */
toArray(): string[];
/**
* Create a snapshot of the current state.
* The snapshot can be passed to the real Matcher.restore() if needed.
*/
snapshot(): MatcherSnapshot;
}
/** Internal node structure — exposed via snapshot only. */
interface PathNode {
tag: string;
namespace?: string;
position: number;
counter: number;
values?: Record<string, any>;
}
/** Snapshot of matcher state returned by `snapshot()` and `readOnly().snapshot()`. */
interface MatcherSnapshot {
path: PathNode[];
siblingStacks: Map<string, number>[];
}
declare namespace pem {
export {
Expression,
ExpressionOptions,
Segment,
ReadonlyMatcher,
PathNode,
MatcherSnapshot,
}
}
export = pem;
-135
src/pem.d.ts
/**
* Types copied from path-expression-matcher
* @version <version>
* @updated <date>
*
* Update this file when path-expression-matcher releases a new version.
* Source: https://github.com/NaturalIntelligence/path-expression-matcher
*/
/**
* Options for creating an Expression
*/
export interface ExpressionOptions {
/**
* Path separator character
* @default '.'
*/
separator?: string;
}
/**
* Parsed segment from an expression pattern
*/
export interface Segment {
type: 'tag' | 'deep-wildcard';
tag?: string;
namespace?: string;
attrName?: string;
attrValue?: string;
position?: 'first' | 'last' | 'odd' | 'even' | 'nth';
positionValue?: number;
}
/**
* Expression - Parses and stores a tag pattern expression.
* Patterns are parsed once and stored in an optimized structure for fast matching.
*
* @example
* ```typescript
* const expr = new Expression("root.users.user");
* const expr2 = new Expression("..user[id]:first");
* const expr3 = new Expression("root/users/user", { separator: '/' });
* ```
*
* Pattern Syntax:
* - `root.users.user` — Match exact path
* - `..user` — Match "user" at any depth (deep wildcard)
* - `user[id]` — Match user tag with "id" attribute
* - `user[id=123]` — Match user tag where id="123"
* - `user:first` — Match first occurrence of user tag
* - `ns::user` — Match user tag with namespace "ns"
* - `ns::user[id]:first` — Combine namespace, attribute, and position
*/
export class Expression {
readonly pattern: string;
readonly separator: string;
readonly segments: Segment[];
constructor(pattern: string, options?: ExpressionOptions);
get length(): number;
hasDeepWildcard(): boolean;
hasAttributeCondition(): boolean;
hasPositionSelector(): boolean;
toString(): string;
}
// ---------------------------------------------------------------------------
// ReadonlyMatcher
// ---------------------------------------------------------------------------
/**
* A live read-only view of a {@link Matcher} instance, returned by {@link Matcher.readOnly}.
*
* All query and inspection methods work normally and always reflect the current
* state of the underlying matcher. State-mutating methods (`push`, `pop`,
* `reset`, `updateCurrent`, `restore`) are not present — calling them on the
* underlying Proxy throws a `TypeError` at runtime.
*
* This is the type received by all FXP user callbacks when `jPath: false`.
*/
export interface ReadonlyMatcher {
readonly separator: string;
/** Check if current path matches an Expression. */
matches(expression: Expression): boolean;
/** Get current tag name, or `undefined` if path is empty. */
getCurrentTag(): string | undefined;
/** Get current namespace, or `undefined` if not present. */
getCurrentNamespace(): string | undefined;
/** Get attribute value of the current node. */
getAttrValue(attrName: string): any;
/** Check if the current node has a given attribute. */
hasAttr(attrName: string): boolean;
/** Sibling position of the current node (child index in parent). */
getPosition(): number;
/** Occurrence counter of the current tag name at this level. */
getCounter(): number;
/** Number of nodes in the current path. */
getDepth(): number;
/** Current path as a string (e.g. `"root.users.user"`). */
toString(separator?: string, includeNamespace?: boolean): string;
/** Current path as an array of tag names. */
toArray(): string[];
/**
* Create a snapshot of the current state.
* The snapshot can be passed to the real {@link Matcher.restore} if needed.
*/
snapshot(): MatcherSnapshot;
}
/** Internal node structure — exposed via snapshot only. */
export interface PathNode {
tag: string;
namespace?: string;
position: number;
counter: number;
values?: Record<string, any>;
}
/** Snapshot of matcher state returned by `snapshot()` and `readOnly().snapshot()`. */
export interface MatcherSnapshot {
path: PathNode[];
siblingStacks: Map<string, number>[];
}