Bump the npm_and_yarn group across 5 directories with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: happy-dom.
Bumps the npm_and_yarn group with 4 updates in the /lib/signals-implicit-mode/lib/sequence-v3/lib/account-abstraction directory: flatted, immutable, picomatch and yaml.
Bumps the npm_and_yarn group with 3 updates in the /lib/signals-implicit-mode/lib/sequence-v3/lib/openzeppelin-contracts directory: flatted, picomatch and undici.
Bumps the npm_and_yarn group with 1 update in the /packages/wallet-contracts directory: web3-core-method.
Bumps the npm_and_yarn group with 3 updates in the /packages/wallet/wallet-contracts directory: fast-xml-parser, flatted and picomatch.

Updates happy-dom from 20.7.0 to 20.8.8

Release notes

Sourced from happy-dom's releases.

v20.8.8

👷‍♂️ Patch fixes

• Fixes issue where export names can be interpolated as executable code in ESM - By @​capricorn86 in task #2113
  • A security advisory (GHSA-6q6h-j7hj-3r64) has been reported that shows a security vulnerability where it may be possible to escape the VM context and get access to process level functionality in unsafe environments using CommonJS. Big thanks to @​tndud042713 for reporting this!

v20.8.7

👷‍♂️ Patch fixes

• Replace implementing Node.js Console with common IConsole interface to support latest version of Bun - By @​YevheniiKotyrlo in task #1845

v20.8.6

👷‍♂️ Patch fixes

• Request.formData() should honor "Content-Type" header - By @​brianhelba in task #2106

v20.8.5

👷‍♂️ Patch fixes

• Fixes error thrown when modifying DOM structure in connectedCallback() - By @​capricorn86 in task #2110

v20.8.4

👷‍♂️ Patch fixes

• Replace ConsoleConstructor import with indexed access type - By @​YevheniiKotyrlo in task #1845

v20.8.3

👷‍♂️ Patch fixes

• Throw error if event is not of type Event in EventTarget.dispatchEvent() - By @​capricorn86 in task #2054

v20.8.2

👷‍♂️ Patch fixes

• Resets Event.cancelBubble and Event.defaultPrevented when calling Event.initEvent() - By @​capricorn86 in task #2090

v20.8.1

👷‍♂️ Patch fixes

• Make "inert" attribute block focus interactions - By @​coffeeandwork in task #1422

v20.8.0

🎨 Features

• Adds support for setPointerCapture, hasPointerCapture, and releasePointerCapture to Element - By @​coffeeandwork in task #1733

v20.7.2

👷‍♂️ Patch fixes

• Properly decode CSS escape sequences in attribute selector values - By @​silverwind

v20.7.1

👷‍♂️ Patch fixes

• Fixes issue related to parsing direct descendants (>) and universal (*) query selectors - By @​Cherry in task #2078

Commits

• 5437fdf fix: #2113 Fixes issue where export names can be interpolated as executable...
• 7e97acb fix: #1845 Replace implementing Node js Console with common IConsole interf...
• 3373929 fix: #2106 Request.formData() should honor Content-Type header (#2107)
• 55c17ba fix: #2110 Fixes error thrown when modifying DOM structure in connectedCall...
• 82a0888 fix: #1845 Replace ConsoleConstructor import with indexed access type (#2095)
• 5998eea fix: #2054 Throw error if event is not of type Event in dispatchEvent (#2092)
• 7a11238 fix: #2090 Resets cancelBubble and defaultPrevented when calling initEvent ...
• 7d27984 fix: #1422 Make inert attribute block focus interactions (#2083)
• 53e4ec9 feat: #1733 Adds support for setPointerCapture, hasPointerCapture, and rele...
• 1c73c3f fix: Properly decode CSS escape sequences in attribute selector values (#2080)
• Additional commits viewable in compare view

Updates web3-core-method from 1.2.11 to 1.7.4

Release notes

Sourced from web3-core-method's releases.

v1.10.4

Security

• Updated dependencies (#6731)

---

Maintenance Countdown:

Commencing from January 1, 2024, a 90-day countdown has been initiated, signaling the transition of Web3.js version 1.x into an end-of-maintenance phase.

Timeline of Changes:

90-Day Countdown (1/1/24 - 3/31/24): During this period, we strongly encourage users to plan accordingly and initiate the upgrade to Web3.js version 4.x

No New Bug Fixes (4/1/24 onwards):

Starting April 1, 2024, new bug fixes for Web3.js version 1.x will no longer be provided. To benefit from continued support and access to new features, we recommend upgrading to Web3.js version 4.x

End of Security Fixes (7/1/24):

Security fixes for Web3.js version 1.x will be discontinued from July 1, 2024. Upgrading to Web3.js version 4.x is crucial to ensure the security of your applications.

v1.10.4-dev.0

Security

• Updated dependencies (#6731)

v1.10.3

Security

• web3-eth-accounts: Bumped @ethereumjs dependencies (#6457)

• Updated dependencies (#6491)

v1.10.3-dev.0

Security

• web3-eth-accounts: Bumped @ethereumjs dependencies (#6457)

• Updated dependencies (#6491)

---

( Considering discussion about release tags , v1 will follow tags:

• legacy ( for v1 releases )
• legacy-dev ( for v1 test/RC releases, this will replace rc tag)

v1.10.2

Fixed

• Fixed broken fetch for Node.js > 18.x and fixed double callback (#6381)

v1.10.1

Fixed

• Builds fixed by updating all typescript versions to 4.9.5 (#6238)
• ABI encoding for large negative ints (#6239)
• Updated type file for submitWork parameters, accepts 3 parameters instead of an array (#5200)

... (truncated)

Changelog

Sourced from web3-core-method's changelog.

[1.2.11]

Fixed

• Fix Provider.request response (#3647)

Added

• Add unit tests for isHex and isHexStrict (#3622)

[1.3.0]

Added

• Support for typescript files (.ts) to be written alongside regular .js files (#3652)
• Add compareBlock function that allows for complex block comparisons (#3682)

Changed

• Improve RequestManager send method (#3649)
• npm run build now uses TSC to compile (.js allowed) and the build folder is now located under lib (#3652)
• Modernized web3-core to use newer es syntax (#3652)
• Bumped web3-providers-ipc oboe version to 2.1.5 (#3661)
• Bump lodash from 4.17.15 to 4.17.19 (#3641)
• Bump websocket version which removes node-gyp from web3.js (#3685)

Fixed

• Fix parsing of non-eth_subscription provider events (#3660)
• Fix parsedUrl problem of websocket provider (#3666)
• Fix return value for clearSubscriptions (#3689)

[1.3.1]

Added

• Add web3-eth2-core package (#3743) (renamed to web3-eth2-base)
• Add web3-eth2-beaconchain package (#3743) (renamed to web3-eth2-beacon)
• Add stripHexPrefix method to web3-utils package (#3776)

Changed

• bump utils 0.10.0^ -> 0.12.0 (#3733)

Removed

• Removed post-install script in packages/web3. Added documentation to root README (#3717)

Fixed

... (truncated)

Commits

• 56d35a4 lerna version bump and build
• 5b1b9d7 version bumps and lerna build
• 4ab6cc4 changelog update
• f5b72a0 npm i and npm audit fix
• 53e01d9 1x libs update (#6731)
• 5b33133 Add 1.x deprecation notice (#6723)
• 0e8695b 1x release process (#6550)
• 926c882 Release/1.10.3 (#6510)
• dbd96ae 1x deps update (#6491)
• aafce59 v1/chore(web3-eth-accounts): bump @​ethereumjs/common and @​ethereumjs/tx (#6457)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jdevcs, a new releaser for web3-core-method since your current version.

Updates flatted from 3.2.9 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates immutable from 4.3.4 to 4.3.8

Release notes

Sourced from immutable's releases.

v4.3.8

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

v4.3.7

What's Changed

• Fix issue with slice negative of filtered sequence by @​jdeniau in immutable-js/immutable-js#2006

Full Changelog: immutable-js/immutable-js@v4.3.6...v4.3.7

v4.3.6

What's Changed

• Fix Repeat().equals(undefined) incorrectly returning true by @​butchler in immutable-js/immutable-js#1994

Internals

• change youtube image by @​jdeniau in immutable-js/immutable-js#1973
• Upgrade eslint and ignore no-constructor-return rule for actual constructors by @​jdeniau in immutable-js/immutable-js#1974
• upgrate documentation website to next 14 by @​jdeniau in immutable-js/immutable-js#1975
• start migrating to nextjs app router by @​jdeniau in immutable-js/immutable-js#1976
• upgrade next sitemap by @​jdeniau in immutable-js/immutable-js#1978

New Contributors

• @​butchler made their first contribution in immutable-js/immutable-js#1994

Full Changelog: immutable-js/immutable-js@v4.3.5...v4.3.6

v4.3.5

What's Changed

• Fix Set.fromKeys types with Map constructor in TS 5.0 by @​jdeniau in immutable-js/immutable-js#1971
• upgrade to TS 5.1 by @​jdeniau in immutable-js/immutable-js#1972
• fix dist-stats command by @​jdeniau in immutable-js/immutable-js#1964
• fix Read the Docs link on readme by @​joshding in immutable-js/immutable-js#1970

New Contributors

• @​joshding made their first contribution in immutable-js/immutable-js#1970

Full Changelog: immutable-js/immutable-js@v4.3.4...v4.3.5

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

5.1.5

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

• Migrate some files to TS by @​jdeniau in immutable-js/immutable-js#2125
  • Iterator.ts
  • PairSorting.ts
  • toJS.ts
  • Math.ts
  • Hash.ts
• Extract CollectionHelperMethods and convert to TS by @​jdeniau in immutable-js/immutable-js#2131
• Use npm trusted publishing only to avoid token stealing.

Documentation

• Fix/a11y issues by @​lyannel in immutable-js/immutable-js#2136
• Doc add Map.get signature update by @​borracciaBlu in immutable-js/immutable-js#2138
• fix(doc):minor-issues#2132 by @​JayMeDotDot in immutable-js/immutable-js#2133
• Fix algolia search by @​jdeniau in immutable-js/immutable-js#2135
• Typo in OrderedMap by @​jdeniau in immutable-js/immutable-js#2144

Internal

• chore: Sort all imports and activate eslint import rule by @​jdeniau in immutable-js/immutable-js#2119

5.1.3

TypeScript

• fix: allow readonly map entry constructor by @​septs in immutable-js/immutable-js#2123

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: https://immutable-js.com/browser-extension/

Internal

... (truncated)

Commits

• 485cbe0 4.3.8
• 6ed4eb6 Merge commit from fork
• 94bcd3c fix new proto key injection
• faeb58b fix Prototype Pollution in mergeDeep, toJS, etc.
• 37ca417 release 4.3.7 (#2007)
• 23daf26 Fix issue with slice negative of filtered sequence (#2006)
• 493afba release 4.3.6 (#1997)
• be3cb9a Fix Repeat(<value>).equals(undefined) incorrectly returning true (#1994)
• d7664bf generate sitemap in path that will be deployed
• f8327b1 upgrade next sitemap (#1978)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for immutable since your current version.

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates yaml from 1.10.2 to 1.10.3

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• See full diff in compare view

Updates flatted from 3.3.1 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates undici from 6.12.0 to 6.24.0

Release notes

Sourced from undici's releases.

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

v6.23.0

⚠️ Security Release

... (truncated)

Commits

• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• a444e4f test: stabilize h2 and tls-cert-leak under current test runner
• dc032a1 fix: h2 CI (#4395)
• 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
• 7df6442 fix: adapt websocket frame-limit handling for v6 parser
• 4e0179a fix: reject duplicate content-length and host headers
• 5a97f08 Fix websocket 64-bit length overflow
• e43e898 fix: validate upgrade header to prevent CRLF injection
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates web3-core-method from 1.2.11 to 1.10.4

Release notes

Sourced from web3-core-method's releases.

v1.10.4

Security

• Updated dependencies (#6731)

---

Maintenance Countdown:

Commencing from January 1, 2024, a 90-day countdown has been initiated, signaling the transition of Web3.js version 1.x into an end-of-maintenance phase.

Timeline of Changes:

90-Day Countdown (1/1/24 - 3/31/24): During this period, we strongly encourage users to plan accordingly and initiate the upgrade to Web3.js version 4.x

No New Bug Fixes (4/1/24 onwards):

Starting April 1, 2024, new bug fixes for Web3.js version 1.x will no longer be provided. To benefit from continued support and access to new features, we recommend upgrading to Web3.js version 4.x

End of Security Fixes (7/1/24):

Security fixes for Web3.js version 1.x will be discontinued from July 1, 2024. Upgrading to Web3.js version 4.x is crucial to ensure the security of your applications.

v1.10.4-dev.0

Security

• Updated dependencies (#6731)

v1.10.3

Security

• web3-eth-accounts: Bumped @ethereumjs dependencies (#6457)

• Updated dependencies (#6491)

v1.10.3-dev.0

Security

• web3-eth-accounts: Bumped @ethereumjs dependencies (#6457)

• Updated dependencies (#6491)

---

( Considering discussion about release tags , v1 will follow tags:

• legacy ( for v1 releases )
• legacy-dev ( for v1 test/RC releases, this will replace rc tag)

v1.10.2

Fixed

• Fixed broken fetch for Node.js > 18.x and fixed double callback (#6381)

v1.10.1

Fixed

• Builds fixed by updating all typescript versions to 4.9.5 (#6238)
• ABI encoding for large negative ints (#6239)
• Updated type file for submitWork parameters, accepts 3 parameters instead of an array (#5200)

... (truncated)

Changelog

Sourced from web3-core-method's changelog.

[1.2.11]

Fixed

• Fix Provider.request response (#3647)

Added

• Add unit tests for isHex and isHexStrict (#3622)

[1.3.0]

Added

• Support for typescript files (.ts) to be written alongside regular .js files (#3652)
• Add compareBlock function that allows for complex block comparisons (#3682)

Changed

• Improve RequestManager send method (#3649)
• npm run build now uses TSC to compile (.js allowed) and the build folder is now located under lib (#3652)
• Modernized web3-core to use newer es syntax (#3652)
• Bumped web3-providers-ipc oboe version to 2.1.5 (#3661)
• Bump lodash from 4.17.15 to 4.17.19 (#3641)
• Bump websocket version which removes node-gyp from web3.js (#3685)

Fixed

• Fix parsing of non-eth_subscription provider events (#3660)
• Fix parsedUrl problem of websocket provider (#3666)
• Fix return value for clearSubscriptions (#3689)

[1.3.1]

Added

• Add web3-eth2-core package (#3743) (renamed to web3-eth2-base)
• Add web3-eth2-beaconchain package (#3743) (renamed to web3-eth2-beacon)
• Add stripHexPrefix method to web3-utils package (#3776)

Changed

• bump utils 0.10.0^ -> 0.12.0 (#3733)

Removed

• Removed post-install script in packages/web3. Added documentation to root README (#3717)

Fixed

... (truncated)

Commits

• 56d35a4 lerna version bump and build
• 5b1b9d7 version bumps and lerna build
• 4ab6cc4 changelog update
• f5b72a0 npm i and npm audit fix
• 53e01d9 1x libs update (#6731)
• 5b33133 Add 1.x deprecation notice (#6723)
• 0e8695b 1x release process (#6550)
• 926c882 Release/1.10.3 (#6510)
• dbd96ae 1x deps update (#6491)
• aafce59 v1/chore(web3-eth-accounts): bump @​ethereumjs/common and @​ethereumjs/tx (#6457)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jdevcs, a new releaser for web3-core-method since your current version.

Updates fast-xml-parser from 5.2.5 to 5.5.8

Release notes

Sourced from fast-xml-parser's releases.

fix bugs of entity parsing and value parsing

fix: entity expansion limits update strnum package to 2.2.0

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

support strictReservedNames

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

handle non-array input for XML builder && support maxNestedTags

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.7...v5.3.8

CJS typing fix

What's Changed

• Unexport X2jOptions at declaration site by @​Drarig29 in NaturalIntelligence/fast-xml-parser#787

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.9 / 2026-03-23

• combine typing files

4.5.5 / 2026-03-22

apply fixes from v5 (legacy maintenance branch v4-maintenance)

• support maxEntityCount
• support onDangerousProperty
• support maxNestedTags
• handle prototype pollution
• fix incorrect entity name replacement
• fix incorrect condition for entity expansion

5.5.8 / 2026-03-20

• pass read only matcher in callback

5.5.7 / 2026-03-19

• fix: entity expansion limits
• update strnum package to 2.2.0

5.5.6 / 2026-03-16

• update builder dependency
• fix incorrect regex to replace . in entity name
• fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

• sanitize dangerous tag or attribute name
• error on critical property name
• support onDangerousProperty option

5.5.4 / 2026-03-13

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

• upgrade builder

5.5.2 / 2026-03-11

• update dependency to fix typings

5.5.1 / 2026-03-10

• fix dependency

... (truncated)

Commits

• a92a665 pass read only matcher in call back
• a21c441 update package detail
• 239b64a check for min value for entity exapantion options
• 61cb666 restrict more properties to be unsafe
• 41abd66 performance improvement of reading DOCTYPE
• 3dfcd20 refactor: performance improvement
• 870043e update release info
• 6df401e update builder dependency
• bd26122 check for entitiy expansion for lastEntities and html entities too
• 7e70dd8 fix incorrect regex to replace . in entity name
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• Description has been truncated

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sequence-js-docs	Ready	Preview, Comment	Mar 26, 2026 11:42pm
sequence-js-web	Ready	Preview, Comment	Mar 26, 2026 11:42pm
sequence.js	Ready	Preview, Comment	Mar 26, 2026 11:42pm
wagmi-project	Error		Mar 26, 2026 11:42pm

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[dependabot]

Superseded by #408.