Gathering detailed insights and metrics for fast-xml-parser
Gathering detailed insights and metrics for fast-xml-parser
Validate XML, Parse XML and Build XML rapidly without C/C++ based libraries and no callback.
Installations
npm install fast-xml-parserDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Node Version
22.14.0
NPM Version
10.9.2
Score
99.4
Supply Chain
99.6
Quality
91.7
Maintenance
100
Vulnerability
100
License
Releases
16
upgrade to ESM module and fixing value parsing issues
v5.2.2
Updated on May 05, 2025
Summary update on all the previous releases from v4.2.4
v5.0.8
Updated on Feb 27, 2025
Security Fix
v4.2.4
Updated on Jun 07, 2023
v4
v4.0.0
Updated on Jan 06, 2022
Fixed Parsing issues
3.17.1
Updated on May 19, 2020
Validator fix for & characters and no more settings for locale range
3.16.0
Updated on Jan 12, 2020
Languages
3
JavaScript
HTML
TypeScript
JavaScript (93.83%)
HTML (3.51%)
TypeScript (2.66%)
Developer
Download Statistics
Total Downloads
2,599,024,076
Last Day
1,444,258
Last Week
30,099,008
Last Month
129,277,317
Last Year
1,267,949,963
GitHub Statistics
MIT License
2,825 Stars
901 Commits
326 Forks
31 Watchers
8 Branches
104 Contributors
Updated on Jul 01, 2025
Bundle Size
27.60 kB
Minified
8.91 kB
Minified + Gzipped
Sponsor this package
Maintainers
1
Package Meta Information
Latest Version
5.2.5
Package Id
fast-xml-parser@5.2.5
Unpacked Size
555.10 kB
Size
147.89 kB
File Count
55
NPM Version
10.9.2
Node Version
22.14.0
Published on
Jun 08, 2025
Total Downloads
Cumulative downloads
Total Downloads
2,599,024,076
fast-xml-parser
Validate XML, Parse XML to JS Object, or Build XML from JS Object without C/C++ based libraries and no callback.
- Validate XML data syntactically. Use detailed-xml-validator to verify business rules.
- Parse XML to JS Objectand vice versa
- Common JS, ESM, and browser compatible
- Faster than any other pure JS implementation.
It can handle big files (tested up to 100mb). XML Entities, HTML entities, and DOCTYPE entites are supported. Unpaired tags (Eg <br> in HTML), stop nodes (Eg <script> in HTML) are supported. It can also preserve Order of tags in JS object
Your Support, Our Motivation
Try out our New Thoughts
We've recently launched Flowgger
Don't forget to check our new library Text2Chart that constructs flow chart out of simple text. Very helpful in creating or alayzing an algorithm, and documentation purpose.
Financial Support
Sponsor this project
This is a donation. No goods or services are expected in return. Any requests for refunds for those purposes will be rejected.
Users
The list of users are mostly published by Github or communicated directly. Feel free to contact if you find any information wrong.
More about this library
How to use
To use as package dependency
$ npm install fast-xml-parser
or
$ yarn add fast-xml-parser
To use as system command
$ npm install fast-xml-parser -g
To use it on a webpage include it from a CDN
Example
As CLI command
1$ fxparser some.xml
In a node js project
1const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser"); 2 3const parser = new XMLParser(); 4let jObj = parser.parse(XMLdata); 5 6const builder = new XMLBuilder(); 7const xmlContent = builder.build(jObj);
In a HTML page
1<script src="path/to/fxp.min.js"></script> 2: 3<script> 4 const parser = new fxparser.XMLParser(); 5 parser.parse(xmlContent); 6</script>
Bundle size
| Bundle Name | Size |
|---|---|
| fxbuilder.min.js | 6.5K |
| fxparser.min.js | 20K |
| fxp.min.js | 26K |
| fxvalidator.min.js | 5.7K |
Documents
| v3 | v4 and v5 | v6 |
| documents |
note:
- Version 6 is released with version 4 for experimental use. Based on it's demand, it'll be developed and the features can be different in final release.
- Version 5 has the same functionalities as version 4.
Performance
negative means error
XML Parser
- Y-axis: requests per second
- X-axis: File size
XML Builder
* Y-axis: requests per second
Usage Trend
Usage Trend of fast-xml-parser
Supporters
Contributors
This project exists thanks to all the people who contribute. [Contribute].
Backers from Open collective
Thank you to all our backers! 🙏 [Become a backer]
License
- MIT License
High
7.5/10
Summary
fast-xml-parser vulnerable to ReDOS at currency parsing
Affected Versions
>= 4.3.5, < 4.4.1
Patched Versions
4.4.1
High
7.5/10
Summary
fast-xml-parser vulnerable to Regex Injection via Doctype Entities
Affected Versions
>= 4.1.3, < 4.2.4
Patched Versions
4.2.4
Moderate
6.5/10
Summary
fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name
Affected Versions
< 4.1.2
Patched Versions
4.1.2
Low
0/10
Summary
fast-xml-parser regex vulnerability patch could be improved from a safety perspective
Affected Versions
= 4.2.4
Patched Versions
4.2.5
Reason
security policy file detected
Details
- Info: security policy file detected: .github/SECURITY.md:1
- Info: Found linked content: .github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: .github/SECURITY.md:1
- Info: Found text in security policy: .github/SECURITY.md:1
Reason
no binaries found in the repo
Reason
20 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
project is fuzzed
Details
- Info: OSSFuzz integration found
Reason
Found 7/30 approved changesets -- score normalized to 2
Reason
8 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/greetings.yml:1
- Warn: no topLevel permission defined: .github/workflows/node.js.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 7 are checked with a SAST tool
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/greetings.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/NaturalIntelligence/fast-xml-parser/greetings.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node.js.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/NaturalIntelligence/fast-xml-parser/node.js.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node.js.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/NaturalIntelligence/fast-xml-parser/node.js.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node.js.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/NaturalIntelligence/fast-xml-parser/node.js.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/node.js.yml:29
- Info: 0 out of 3 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Score
5.6
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More