fast-xml-parser dependency has high vulnerabilities

[b00ga]

This library is getting installed when I npm install @mitre/saf and npm reports there are vulnerabilities to check. When I run npm audit, it reports the following for this lib's fast-xml-parser dependency:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ fast-xml-parser vulnerable to Regex Injection via Doctype    │
│               │ Entities                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fast-xml-parser                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.2.4                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @mitre/saf                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @mitre/saf > @mitre/inspec-objects > fast-xml-parser         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-6w63-h3fj-q4vw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ fast-xml-parser vulnerable to Prototype Pollution through    │
│               │ tag or attribute name                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fast-xml-parser                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @mitre/saf                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @mitre/saf > @mitre/inspec-objects > fast-xml-parser         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-x3cc-x39p-42qx            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[b00ga]

Looking at this package's package.json, the fast-xml-parser dependency is "^3.1.19", so I can see where that won't pickup a 4.x version of fast-xml-parser. I'm not a JS/node developer, so I don't know how easy a lift it is to go from 3.x to 4.x

I will note however, when I create a packge-lock.json for my @mitre/saf install, @mitre/hdf-converters wants fast-xml-parser "^4.2.0" and @mitre/saf itself wants "^4.2.7". They appear to be using 4.2.7 which is the latest release (https://www.npmjs.com/package/fast-xml-parser?activeTab=versions).

[b00ga]

Had not checked PRs, and was just looking and it looks like depend-a-bot tried to apply a merge for this in #45 which is still pending merge.