Fix CI Snyk vulnerabilities in liquidjs and fast-xml-parser

[Copilot]

Snyk CI check failing due to high-severity vulnerabilities in liquidjs@10.12.0 and fast-xml-parser@5.3.4.

Changes

• liquidjs: Bump from ^10.8.4 to ^10.25.0 across all packages

  • Fixes SNYK-JS-LIQUIDJS-15443434 (Directory Traversal)

• fast-xml-parser: Add yarn resolution to force 5.5.9

  • Transitive dependency via @aws-sdk/*
  • Fixes XML Entity Expansion and regex DoS vulnerabilities

"resolutions": {
  "fast-xml-parser": "5.5.9"
}

All existing liquidjs tests pass.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• formulae.brew.sh
  • Triggering command: /bin/curl /bin/curl -q --fail --compressed --silent --speed-limit 100 --speed-time 5 --location --remote-time --output /home/REDACTED/.cache/Homebrew/api/formula.jws.json --user-agent Linuxbrew/5.1.1 (Linux; x86_64 Ubuntu 24.04.3 LTS) curl/8.5.0 REDACTED user.email l/config (dns block)
  • Triggering command: /bin/curl /bin/curl -q --fail --compressed --silent --speed-limit 100 --speed-time 5 --location --remote-time --output /home/REDACTED/.cache/Homebrew/api/cask.jws.json --user-agent Linuxbrew/5.1.1 (Linux; x86_64 Ubuntu 24.04.3 LTS) curl/8.5.0 REDACTED user.email lude (dns block)
  • Triggering command: /bin/curl /bin/curl -q --fail --compressed --silent --speed-limit 100 --speed-time 5 --location --remote-time --output /home/REDACTED/.cache/Homebrew/api/formula_tap_migrations.jws.json --user-agent Linuxbrew/5.1.1 (Linux; x86_64 Ubuntu 24.04.3 LTS) curl/8.5.0 REDACTED user.email lude (dns block)
• https://api.github.com/repos/Homebrew/brew/tags
  • Triggering command: /bin/curl /bin/curl -q --silent --max-time 3 --location --no-remote-time --output /dev/null --write-out %{http_code} --dump-header /home/linuxbrew/.linuxbrew/Homebrew/.git/GITHUB_HEADERS --user-agent Linuxbrew/5.1.1 (Linux; x86_64 Ubuntu 24.04.3 LTS) curl/8.5.0 --header X-GitHub-Api-Version:2022-11-28 --header Accept: application/vnd.github+json --header (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.89%. Comparing base (4aa858f) to head (5a646d5).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3686      +/-   ##
==========================================
+ Coverage   80.83%   80.89%   +0.06%     
==========================================
  Files        1382     1639     +257     
  Lines       27543    31642    +4099     
  Branches     5883     6962    +1079     
==========================================
+ Hits        22264    25598    +3334     
- Misses       4342     5087     +745     
- Partials      937      957      +20     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mdkhan-tw]

Can we try exhaustive testing? We had a sev because of liquidjs parsing error

[itsarijitray]

Can we try exhaustive testing? We had a sev because of liquidjs parsing error

Yes... This yet to be tested on staging...