fix(rss): unpin fast-xml-parser to resolve entity expansion CVEs

[blimmer]

Changes

• Unpin fast-xml-parser from exact 5.4.1 to ^5.5.7

The pin was introduced in #15830 because v5.5.0 shipped with a broken dependency declaration ("fast-xml-builder": "file:../../fxp-builder"). The upstream issue (NaturalIntelligence/fast-xml-parser#799) is now closed and resolved.

The pinned v5.4.1 has open CVEs related to entity expansion limits (XXE prevention), which are fixed in v5.5.7+:

• CVE-2025-27098 — Prototype pollution via attribute parsing
• CVE-2025-27439 — Entity expansion (billion laughs) attack

No breaking API changes exist between 5.4.1 and 5.5.7. The options used by @astrojs/rss (ignoreAttributes, suppressEmptyNode, suppressBooleanAttributes) are unchanged. The fast-xml-builder transitive dependency moved from 1.0.0 to ^1.1.4 (same major version).

Testing

• All 21 existing @astrojs/rss tests pass with no changes needed
• Tests cover the full API surface: basic items, content encoding, custom data, stylesheets, self-closing tags, enclosures, sources, categories, and trailing slashes

Docs

No user-facing behavior changes — this is a transparent dependency update.

[changeset-bot]

🦋 Changeset detected

Latest commit: 492a016

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR