From c67a2831c8007253b55f87771499206cba6bf471 Mon Sep 17 00:00:00 2001 From: Galib Sarayev Date: Fri, 6 Mar 2026 10:58:24 +0000 Subject: [PATCH] fix: bump fast-xml-parser to 5.3.8 to resolve CVE-2026-27942 Adds a resolution to upgrade fast-xml-parser from 5.3.6 to 5.3.8 to fix stack overflow in XMLBuilder with preserveOrder (CVE-2026-27942). Transitive dependency of @aws-sdk/xml-builder. Resolves Dependabot alert #134. --- package.json | 1 + yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index e1317cf4..df893061 100644 --- a/package.json +++ b/package.json @@ -131,6 +131,7 @@ "resolutions": { "**/@aws-amplify/amplify-codegen-e2e-tests/**/cookie": "^0.7.0", "**/@aws-amplify/amplify-codegen-e2e-tests/**/fast-xml-parser": "^4.4.1", + "**/@aws-sdk/xml-builder/**/fast-xml-parser": "5.3.8", "@octokit/plugin-paginate-rest": "^9.2.2", "@octokit/request": "^8.4.1", "@octokit/request-error": "^5.1.1", diff --git a/yarn.lock b/yarn.lock index c8e7e35d..37f44166 100644 --- a/yarn.lock +++ b/yarn.lock @@ -12686,10 +12686,10 @@ fast-xml-parser@4.2.5, fast-xml-parser@^4.2.5, fast-xml-parser@^4.4.1: dependencies: strnum "^1.0.5" -fast-xml-parser@5.3.6: - version "5.3.6" - resolved "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.3.6.tgz#85a69117ca156b1b3c52e426495b6de266cb6a4b" - integrity sha512-QNI3sAvSvaOiaMl8FYU4trnEzCwiRr8XMWgAHzlrWpTSj+QaCSvOf1h82OEP1s4hiAXhnbXSyFWCf4ldZzZRVA== +fast-xml-parser@5.3.6, fast-xml-parser@5.3.8: + version "5.3.8" + resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.3.8.tgz#b5bc2045620d1b9cf342a2aa4d72391ef0b36a9e" + integrity sha512-53jIF4N6u/pxvaL1eb/hEZts/cFLWZ92eCfLrNyCI0k38lettCG/Bs40W9pPwoPXyHQlKu2OUbQtiEIZK/J6Vw== dependencies: strnum "^2.1.2"