CVE-2026-25896 / CVE-2026-26278: fast-xml-parser 4.x fix is backported, but adaptivecards-templating still depends on archived adaptive-expressions

[yuezk]

Hi maintainers,

I’m reporting a dependency security issue affecting adaptivecards-templating consumers.

Summary

adaptivecards-templating (v2.x) relies on adaptive-expressions as a peer dependency. The latest adaptive-expressions release (4.23.3) still depends on fast-xml-parser ^4.4.1, which is flagged by current advisories (critical) for XML parser issues.

This creates a problem for consumers:

• Security scanners flag a critical vulnerability in the dependency tree
• Upgrading adaptive-expressions does not resolve it (4.23.3 still depends on ^4.4.1)
• The adaptive-expressions upstream repo (microsoft/botbuilder-js) is archived, so a fix may not arrive there

Dependency chain

adaptivecards-templating -> adaptive-expressions -> fast-xml-parser

Current package state (verified)

• adaptivecards-templating@2.3.1 (peer dep: adaptive-expressions: ^4.11.0)
• adaptive-expressions@4.23.3 -> fast-xml-parser: ^4.4.1

Security advisories involved

• CVE-2026-26278 (DoS through entity expansion in DOCTYPE)
• CVE-2026-25896 (entity encoding bypass via regex injection in DOCTYPE entity names)

Upstream context

I also opened an issue in fast-xml-parser asking for a fix/backport in the 4.x line, since many downstream packages are still pinned there:

• fast-xml-parser issue: Backport CVE-2026-25896 fix to 4.x NaturalIntelligence/fast-xml-parser#792

Based on the maintainer's response there, a 4.x backport currently seems unlikely (the issue was closed without a 4.x remediation plan).

This makes a clear, supported mitigation path important for adaptivecards-templating consumers.

Request

Could you please advise and/or take one of these actions?

1. Provide an official mitigation path for adaptivecards-templating consumers
2. Update adaptivecards-templating docs to acknowledge the issue and recommended workaround (e.g. safe override/pin if compatible)
3. Decouple/limit the dependency on adaptive-expressions features that require fast-xml-parser (if feasible)
4. Publish a maintained compatibility path (fork/alternate package/version guidance) now that adaptive-expressions upstream is archived

Additional context

adaptivecards-templating v2+ correctly moved adaptive-expressions out as a peer dependency, which usually helps with independent upgrades. In this case, the latest adaptive-expressions still retains the vulnerable dependency range, so upgrading it does not resolve the issue.

Thanks.

[yuezk]

Quick update: the fast-xml-parser maintainer has now backported the security fix to the 4.x line and published a new 4.x release (4.5.4, currently under the legacy dist-tag).

Reference: NaturalIntelligence/fast-xml-parser#792

This means the immediate fast-xml-parser issue may be mitigated for consumers that refresh their lockfile / dependency resolution (since adaptive-expressions@4.23.3 depends on fast-xml-parser: ^4.4.1, which can resolve to 4.5.4).

However, I think the broader concern in this ticket still stands: adaptivecards-templating depends on adaptive-expressions, and that upstream package/repo is archived. That creates an ongoing maintenance/support risk for future security fixes (or other dependency updates), since there may be no supported path if a new issue appears.

Could maintainers please clarify the long-term plan for adaptivecards-templating here (documentation guidance, maintained fork/replacement, or other supported migration path)?