fix(deps): bump fast-xml-parser to 5.5.6 for GHSA-8gc5-j5rx-235r

[czubocha]

Summary

• Update @aws-sdk/xml-builder from 3.972.9 to 3.972.13 across 13 lockfiles, which upgrades fast-xml-parser from 5.4.1 to 5.5.6
• Resolves GHSA-8gc5-j5rx-235r (numeric entity expansion bypassing all entity expansion limits, incomplete fix for CVE-2026-26278)

Root cause

@aws-sdk/xml-builder pinned fast-xml-parser to exactly 5.4.1, which is vulnerable to numeric entity expansion DoS (all versions through 5.5.5 are affected). AWS published @aws-sdk/xml-builder@3.972.13 which bumps to fast-xml-parser@5.5.6 and also sets processEntities: { maxTotalExpansions: Infinity } to prevent the new expansion limit from breaking legitimate AWS XML responses.

Test plan

• npm install succeeds cleanly
• npm audit no longer reports fast-xml-parser vulnerabilities
• All 13 lockfiles resolve to @aws-sdk/xml-builder@3.972.13 + fast-xml-parser@5.5.6
• Smoke-tested fast-xml-parser@5.5.6 with the @aws-sdk/xml-builder@3.972.13 parser config (300 CloudFormation events, 1500+ entity expansions) — no Entity expansion limit exceeded error
• Only package-lock.json files changed — no package.json modifications

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (13)

• package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser-custom/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-code-interpreter-custom/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-code-interpreter/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-comprehensive/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-gateway/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-memory/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-multi-gateway/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/package-lock.json is excluded by !**/package-lock.json
• packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/strands-browser/package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b555f0d6-6904-4c74-aab8-4c96d06f6959

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/fast-xml-parser-cve-2026-26278

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can suggest fixes for GitHub Check annotations.

Configure the reviews.tools.github-checks setting to adjust the time to wait for GitHub Checks to complete.

[Mmarzex]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.