Pulp Engine Document Rendering
Get started
Release v0.75.8

Release v0.75.8 — fast-xml-parser + uuid advisory overrides

Date: 2026-04-23 Tag: v0.75.8

Summary

Dependency-advisory patch. v0.75.7 shipped the SDK-publish-workflow-honesty fixes but its push-time CI went red because two new GitHub advisories landed between its pre-tag CI (green at 14:14 UTC) and its tag-push CI (red at 14:52 UTC). Both are transitive deps under the AWS + Azure SDK stacks, neither touches code paths we actually use, but the pnpm audit --prod --audit-level=moderate gate in ci.yml is version-gated and has no per-usage allowlist. Overrides added, lockfile regenerated, audit clean.

What shipped

1. fast-xml-parser >=5.7.0

Advisory: GHSA-gh4j-gqv2-49f6 — moderate — “XML Comment and CDATA Injection via Unescaped Delimiters”.

Transitive path: @pulp-engine/api > @aws-sdk/client-s3 > @aws-sdk/core > @aws-sdk/xml-builder > fast-xml-parser.

The advisory affects the XML builder path. We only consume S3 via the AWS SDK (get/put asset binaries), which uses the builder internally for request serialization — no user-controlled input reaches the builder delimiter logic directly. Version bump is strictly defensive.

2. uuid >=14.0.0

Advisory: GHSA-w5hq-g745-h8pq — moderate — “Missing buffer bounds check in v3/v5/v6 when buf is provided”.

Transitive path: @pulp-engine/api > mssql > tedious > @azure/identity > @azure/msal-node > uuid.

The advisory specifically targets the v3/v5/v6 APIs when called with a pre-allocated buf argument — we never call uuid.v3/v5/v6(...) anywhere in our code, and msal-node’s internal call uses v4 for correlation IDs per upstream source. uuid@14 is a major-version bump with ESM-only rewrite, but msal-node resolves it cleanly through the override.

Operational status

Same picture as v0.75.7 — operator-owned secrets still gate actual SDK publication:

  • ✅ GitHub Release v0.75.8 (when CI passes)
  • ✅ Docker image on GHCR
  • @pulp-engine/sdk + @pulp-engine/template-model on npm — will fail loudly with the v0.75.7 diagnostic until NPM_TOKEN is set
  • PulpEngine.Sdk on NuGet — fails on empty NUGET_API_KEY
  • pulp-engine-go on the mirror repo — should publish once the mirror token is verified
  • pulp-engine on PyPI — trusted-publisher config still pending at pypi.org

Verification

Local: pnpm audit --prod --audit-level=moderateNo known vulnerabilities found (was 1 moderate on v0.75.7’s tag commit). pnpm --filter @pulp-engine/api build succeeds against the bumped lockfile. node scripts/check-version.mjs green on the pre-tag commit.

← Back to releases