[Aikido] Fix 16 security issues in @aws-sdk/client-secrets-manager, @aws-sdk/credential-providers, fast-uri and 5 more

[aikido-autofix]

Upgrades dependencies to fix critical XML entity injection XSS, XML entity expansion DoS attacks, stack overflow crashes, and URI path normalization bypass vulnerabilities.

⚠️ Breaking changes analysis not available for: @aws-sdk/client-secrets-manager, @aws-sdk/credential-providers, aws-cdk-lib, minimatch

✅ No breaking changes for: fast-uri, brace-expansion, @smithy/config-resolver, ajv

✅ 16 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-25896	🚨 CRITICAL	[fast-xml-parser] A dot (.) in DOCTYPE entity names is treated as a regex wildcard, allowing attackers to shadow built-in XML entities with arbitrary values and bypass entity encoding. This leads to XSS when parsed output is rendered.
CVE-2026-26278	HIGH	[fast-xml-parser] XML entity expansion vulnerability allows attackers to cause denial of service by forcing unlimited entity expansion with minimal input, potentially freezing the application for extended periods.
CVE-2026-27942	HIGH	[fast-xml-parser] XML builder with preserveOrder:true causes stack overflow leading to denial of service when processing certain inputs. The application crashes due to improper recursion handling during XML construction.
CVE-2026-33036	HIGH	[fast-xml-parser] Numeric character references and standard XML entities bypass entity expansion limits, allowing attackers to cause XML entity expansion Denial of Service by forcing excessive memory allocation and CPU usage through crafted XML payloads.
CVE-2026-33349	MEDIUM	[fast-xml-parser] XML entity expansion vulnerability where setting maxEntityCount or maxEntitySize to 0 is bypassed due to JavaScript falsy checks, allowing attackers to cause denial of service through memory exhaustion. The vulnerability affects configurations explicitly set to restrict or disable entities.
AIKIDO-2026-10784	HIGH	[fast-uri] A path normalization vulnerability allows attackers to bypass security checks by using percent-encoded slashes and dots that are decoded before dot-segment removal, causing distinct URIs to normalize identically and compare equal.
CVE-2026-6321	HIGH	[fast-uri] A vulnerability in URI normalization allows attackers to bypass path-based access controls by using percent-encoded separators and dot segments that normalize to unintended paths. This enables policy bypass attacks where restricted paths can be accessed through specially crafted encoded URLs.
CVE-2026-6322	HIGH	[fast-uri] Normalize function improperly decodes percent-encoded authority delimiters in the host component, re-emitting them as raw delimiters during serialization. This allows attackers to bypass host allowlist checks and redirect requests to unintended authorities.
CVE-2026-33532	MEDIUM	[yaml] A stack overflow vulnerability in the YAML parser's node resolution phase allows attackers to trigger a RangeError via deeply nested YAML structures (~2-10 KB), potentially causing denial of service or process termination in applications that don't catch non-YAMLParseError exceptions.
CVE-2026-26996	LOW	[minimatch] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. Applications passing user-controlled strings as patterns to minimatch() are vulnerable to severe performance degradation or hangs.
CVE-2026-27903	LOW	[minimatch] A ReDoS vulnerability in glob pattern matching causes unbounded recursive backtracking with multiple GLOBSTAR segments, enabling attackers to stall the event loop for tens of seconds via crafted patterns in build tools, CI/CD pipelines, or multi-tenant systems.
CVE-2026-27904	LOW	[minimatch] Nested extglobs (*() and +()) generate regexps with catastrophic backtracking, causing severe ReDoS denial-of-service attacks with minimal input patterns triggering multi-second hangs.
CVE-2026-33750	LOW	[brace-expansion] A brace pattern with zero step value causes an infinite loop, leading to denial of service through process hangs and excessive memory allocation. The vulnerability affects string expansion operations when malicious or malformed patterns are processed.
AIKIDO-2026-10477	LOW	[brace-expansion] A denial-of-service vulnerability allows attackers to craft malicious brace patterns with repeated numeric ranges that cause exponential expansion, consuming excessive CPU and memory until process failure. The fix introduces an optional maximum limit parameter to bound expansion work.
GHSA-6475-r3vj-m8vf	LOW	[@smithy/config-resolver] An attacker with environment access could set an invalid region value, potentially routing AWS API calls to non-AWS hosts. A validation enhancement was added to prevent improper endpoint construction through region input validation.
CVE-2025-69873	LOW	[ajv] A ReDoS vulnerability allows attackers to inject malicious regex patterns via the $data option, causing catastrophic backtracking and CPU exhaustion. A 31-character payload can block execution for ~44 seconds, enabling complete denial of service with minimal effort.

[github-actions]

Package lock diff

 2.4.1 -> 2.6.0
node_modules/@aws-cdk/asset-awscli-v1 2.2.242 -> 2.2.273
node_modules/@aws-cdk/asset-node-proxy-agent-v6 2.1.0 -> 2.1.1
node_modules/@aws-cdk/cloud-assembly-schema 45.2.0 -> 53.22.0
node_modules/@aws-cdk/cloud-assembly-schema/node_modules/semver 7.7.2 -> 7.7.4
node_modules/@aws-sdk/client-cognito-identity 3.840.0 -> 3.1045.0
node_modules/@aws-sdk/client-secrets-manager 3.840.0 -> 3.1045.0
node_modules/@aws-sdk/client-sso removed
node_modules/@aws-sdk/core 3.840.0 -> 3.974.8
node_modules/@aws-sdk/credential-provider-cognito-identity 3.840.0 -> 3.972.31
node_modules/@aws-sdk/credential-provider-env 3.840.0 -> 3.972.34
node_modules/@aws-sdk/credential-provider-http 3.840.0 -> 3.972.36
node_modules/@aws-sdk/credential-provider-ini 3.840.0 -> 3.972.38
node_modules/@aws-sdk/credential-provider-node 3.840.0 -> 3.972.39
node_modules/@aws-sdk/credential-provider-process 3.840.0 -> 3.972.34
node_modules/@aws-sdk/credential-provider-sso 3.840.0 -> 3.972.38
node_modules/@aws-sdk/credential-provider-web-identity 3.840.0 -> 3.972.38
node_modules/@aws-sdk/credential-providers 3.840.0 -> 3.1045.0
node_modules/@aws-sdk/middleware-host-header 3.840.0 -> 3.972.10
node_modules/@aws-sdk/middleware-logger 3.840.0 -> 3.972.10
node_modules/@aws-sdk/middleware-recursion-detection 3.840.0 -> 3.972.11
node_modules/@aws-sdk/middleware-user-agent 3.840.0 -> 3.972.38
node_modules/@aws-sdk/nested-clients 3.840.0 -> 3.997.6
node_modules/@aws-sdk/region-config-resolver 3.840.0 -> 3.972.13
node_modules/@aws-sdk/token-providers 3.840.0 -> 3.1041.0
node_modules/@aws-sdk/types 3.840.0 -> 3.973.8
node_modules/@aws-sdk/util-endpoints 3.840.0 -> 3.996.8
node_modules/@aws-sdk/util-user-agent-browser 3.840.0 -> 3.972.10
node_modules/@aws-sdk/util-user-agent-node 3.840.0 -> 3.973.24
node_modules/@aws-sdk/xml-builder 3.821.0 -> 3.972.22
node_modules/@smithy/abort-controller removed
node_modules/@smithy/config-resolver 4.1.4 -> 4.4.17
node_modules/@smithy/core 3.6.0 -> 3.23.17
node_modules/@smithy/credential-provider-imds 4.0.6 -> 4.2.14
node_modules/@smithy/fetch-http-handler 5.0.4 -> 5.3.17
node_modules/@smithy/hash-node 4.0.4 -> 4.2.14
node_modules/@smithy/invalid-dependency 4.0.4 -> 4.2.14
node_modules/@smithy/is-array-buffer 4.0.0 -> 4.2.2
node_modules/@smithy/middleware-content-length 4.0.4 -> 4.2.14
node_modules/@smithy/middleware-endpoint 4.1.13 -> 4.4.32
node_modules/@smithy/middleware-retry 4.1.14 -> 4.5.7
node_modules/@smithy/middleware-serde 4.0.8 -> 4.2.20
node_modules/@smithy/middleware-stack 4.0.4 -> 4.2.14
node_modules/@smithy/node-config-provider 4.1.3 -> 4.3.14
node_modules/@smithy/node-http-handler 4.0.6 -> 4.6.1
node_modules/@smithy/property-provider 4.0.4 -> 4.2.14
node_modules/@smithy/protocol-http 5.1.2 -> 5.3.14
node_modules/@smithy/querystring-builder 4.0.4 -> 4.2.14
node_modules/@smithy/querystring-parser 4.0.4 -> 4.2.14
node_modules/@smithy/service-error-classification 4.0.6 -> 4.3.1
node_modules/@smithy/shared-ini-file-loader 4.0.4 -> 4.4.9
node_modules/@smithy/signature-v4 5.1.2 -> 5.3.14
node_modules/@smithy/smithy-client 4.4.5 -> 4.12.13
node_modules/@smithy/types 4.3.1 -> 4.14.1
node_modules/@smithy/url-parser 4.0.4 -> 4.2.14
node_modules/@smithy/util-base64 4.0.0 -> 4.3.2
node_modules/@smithy/util-body-length-browser 4.0.0 -> 4.2.2
node_modules/@smithy/util-body-length-node 4.0.0 -> 4.2.3
node_modules/@smithy/util-buffer-from 4.0.0 -> 4.2.2
node_modules/@smithy/util-config-provider 4.0.0 -> 4.2.2
node_modules/@smithy/util-defaults-mode-browser 4.0.21 -> 4.3.49
node_modules/@smithy/util-defaults-mode-node 4.0.21 -> 4.2.54
node_modules/@smithy/util-endpoints 3.0.6 -> 3.4.2
node_modules/@smithy/util-hex-encoding 4.0.0 -> 4.2.2
node_modules/@smithy/util-middleware 4.0.4 -> 4.2.14
node_modules/@smithy/util-retry 4.0.6 -> 4.3.8
node_modules/@smithy/util-stream 4.2.2 -> 4.5.25
node_modules/@smithy/util-uri-escape 4.0.0 -> 4.2.2
node_modules/@smithy/util-utf8 4.0.0 -> 4.2.2
node_modules/@types/uuid removed
node_modules/ajv 6.12.6 -> 6.15.0
node_modules/aws-cdk-lib 2.204.0 -> 2.253.1
node_modules/aws-cdk-lib/node_modules/ajv 8.17.1 -> 8.18.0
node_modules/aws-cdk-lib/node_modules/balanced-match 1.0.2 -> 4.0.4
node_modules/aws-cdk-lib/node_modules/brace-expansion 1.1.12 -> 5.0.5
node_modules/aws-cdk-lib/node_modules/concat-map removed
node_modules/aws-cdk-lib/node_modules/fast-uri 3.0.6 -> 3.1.0
node_modules/aws-cdk-lib/node_modules/fs-extra 11.3.0 -> 11.3.3
node_modules/aws-cdk-lib/node_modules/jsonfile 6.1.0 -> 6.2.0
node_modules/aws-cdk-lib/node_modules/minimatch 3.1.2 -> 10.2.5
node_modules/aws-cdk-lib/node_modules/semver 7.7.2 -> 7.7.4
node_modules/aws-cdk-lib/node_modules/yaml 1.10.2 -> 1.10.3
node_modules/bowser 2.11.0 -> 2.14.1
node_modules/brace-expansion 1.1.12 -> 1.1.14
node_modules/constructs 10.4.2 -> 10.6.0
node_modules/fast-xml-parser 4.4.1 -> 5.7.2
node_modules/filelist/node_modules/brace-expansion 2.0.2 -> 2.1.0
node_modules/filelist/node_modules/minimatch 5.1.6 -> 5.1.9
node_modules/minimatch 3.1.2 -> 3.1.5
node_modules/strnum 1.1.2 -> 2.3.0
node_modules/uuid removed
node_modules/@aws-sdk/credential-provider-login added
node_modules/@aws-sdk/middleware-sdk-s3 added
node_modules/@aws-sdk/signature-v4-multi-region added
node_modules/@aws-sdk/util-arn-parser added
node_modules/@aws/lambda-invoke-store added
node_modules/@nodable/entities added
node_modules/@smithy/uuid added
node_modules/aws-cdk-lib/node_modules/@aws-cdk/cloud-assembly-api added
node_modules/fast-xml-builder added
node_modules/path-expression-matcher added
node_modules/xml-naming added

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #39