[Security] Bump fast-xml-parser require from ^4.1.3 to ^4.2.4

[larouxn]

Apparently fast-xml-parser has a security vulnerability (GHSA-6w63-h3fj-q4vw) below version 4.2.4. Thus, I'm proposing we bump the minimum required version from 4.1.3 to 4.2.4.

[larouxn]

Hmm, getting some seemingly comment linting related error in npm test.

TypeError: Cannot read property 'getAllComments' of undefined
Occurred while linting /home/runner/work/is-svg/is-svg/index.js:1
Rule: "unicorn/expiring-todo-comments"
    at Object.Program (/home/runner/work/is-svg/is-svg/node_modules/eslint/lib/rules/no-warning-comments.js:1[9](https://github.com/sindresorhus/is-svg/actions/runs/5195611012/jobs/9368506902?pr=36#step:5:10)3:45)

https://github.com/sindresorhus/is-svg/actions/runs/5195611012/jobs/9368506842?pr=36

[larouxn]

Ah, looks like the issue is with an outdated version of the eslint-plugin-unicorn plugin. With an older version of that plug plus xo plus eslint 8.40.0, linting blows up.

• Fails with eslint 8.40.0: TypeError: Cannot read properties of undefined (reading 'getAllComments') xojs/xo#718
• Bug: Cannot read properties of undefined (reading 'getAllComments') eslint/eslint#17167 (comment)

Opened up PRs on xo to bump eslint-plugin-unicorn.

• Bump eslint-plugin-unicorn from 46.0.0 to 47.0.0 xojs/xo#720
• Bump eslint-plugin-unicorn from 46.0.0 to 46.0.1 xojs/xo#723

[larouxn]

Apparently one can bump fast-xml-parser to 4.2.4 even with the ^4.1.3 requirement. Wasn't aware the ^ allows patch and minor version updates. Neat 👍

[larouxn]

Closed this, though I do think an explicit requirement of the secure version i.e. ^4.2.4 would be an improvement.