[Aikido] Fix 17 security issues in fast-xml-parser, fast-uri, aws-cdk-lib and 5 more

[aikido-autofix]

Upgrade dependencies to fix critical XML entity injection XSS, XML entity expansion DoS attacks, stack overflow in XML builder, URI path normalization bypass, and other security vulnerabilities.

⚠️ Incomplete breaking changes analysis (4/8 analyzed)

⚠️ Breaking changes analysis not available for: aws-cdk-lib, minimatch, brace-expansion, ajv

All breaking changes by upgrading fast-xml-parser from version 4.4.1 to 5.7.3 (CHANGELOG)

Version	Description
5.7.0	Single entity scan - entity values can no longer be used to form another entity name
5.7.0	Numeric external entities can no longer be added
5.7.0	Entity error messages when expansion limit is crossed may change
5.7.0	Typings updated for new options related to process entity

✅ 17 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-25896	🚨 CRITICAL	[fast-xml-parser] A dot (.) in DOCTYPE entity names is treated as a regex wildcard, allowing attackers to shadow built-in XML entities with arbitrary values and bypass entity encoding. This leads to XSS when parsed output is rendered.
CVE-2026-26278	HIGH	[fast-xml-parser] XML entity expansion vulnerability allows attackers to cause denial of service by forcing unlimited entity expansion with minimal input, potentially freezing the application for extended periods.
CVE-2026-27942	HIGH	[fast-xml-parser] XML builder with preserveOrder:true causes stack overflow leading to denial of service when processing certain inputs. The application crashes due to improper recursion handling during XML construction.
CVE-2026-33036	HIGH	[fast-xml-parser] Numeric character references and standard XML entities bypass entity expansion limits, allowing attackers to cause XML entity expansion Denial of Service by forcing excessive memory allocation and CPU usage through crafted XML payloads.
CVE-2026-33349	MEDIUM	[fast-xml-parser] XML entity expansion vulnerability where setting maxEntityCount or maxEntitySize to 0 is bypassed due to JavaScript falsy checks, allowing attackers to cause denial of service through memory exhaustion. The vulnerability affects configurations explicitly set to restrict or disable entities.
AIKIDO-2026-10784	HIGH	[fast-uri] A path normalization vulnerability allows attackers to bypass security checks by using percent-encoded slashes and dots that are decoded before dot-segment removal, causing distinct URIs to normalize identically and compare equal.
CVE-2026-6321	HIGH	[fast-uri] A vulnerability in URI normalization allows attackers to bypass path-based access controls by using percent-encoded separators and dot segments that normalize to unintended paths. This enables policy bypass attacks where restricted paths can be accessed through specially crafted encoded URLs.
CVE-2026-6322	HIGH	[fast-uri] Normalize function improperly decodes percent-encoded authority delimiters in the host component, re-emitting them as raw delimiters during serialization. This allows attackers to bypass host allowlist checks and redirect requests to unintended authorities.
CVE-2026-11417	HIGH	[aws-cdk-lib] OS command injection vulnerability in NodejsFunction local bundling pipeline allows arbitrary command execution if an attacker controls bundling properties like externalModules, define, loader, inject, or esbuildArgs through shell metacharacters injection.
CVE-2026-33532	MEDIUM	[yaml] A stack overflow vulnerability in the YAML parser's node resolution phase allows attackers to trigger a RangeError via deeply nested YAML structures (~2-10 KB), potentially causing denial of service or process termination in applications that don't catch non-YAMLParseError exceptions.
CVE-2026-26996	LOW	[minimatch] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. Applications passing user-controlled strings as patterns to minimatch() are vulnerable to severe performance degradation or hangs.
CVE-2026-27903	LOW	[minimatch] A ReDoS vulnerability in glob pattern matching causes unbounded recursive backtracking with multiple GLOBSTAR segments, enabling attackers to stall the event loop for tens of seconds via crafted patterns in build tools, CI/CD pipelines, or multi-tenant systems.
CVE-2026-27904	LOW	[minimatch] Nested extglobs (*() and +()) generate regexps with catastrophic backtracking, causing severe ReDoS denial-of-service attacks with minimal input patterns triggering multi-second hangs.
CVE-2026-33750	LOW	[brace-expansion] A brace pattern with zero step value causes an infinite loop, leading to denial of service through process hangs and excessive memory allocation. The vulnerability affects string expansion operations when malicious or malformed patterns are processed.
AIKIDO-2026-10477	LOW	[brace-expansion] A denial-of-service vulnerability allows attackers to craft malicious brace patterns with repeated numeric ranges that cause exponential expansion, consuming excessive CPU and memory until process failure. The fix introduces an optional maximum limit parameter to bound expansion work.
GHSA-6475-r3vj-m8vf	LOW	[@smithy/config-resolver] An attacker with environment access could set an invalid region value, potentially routing AWS API calls to non-AWS hosts. A validation enhancement was added to prevent improper endpoint construction through region input validation.
CVE-2025-69873	LOW	[ajv] A ReDoS vulnerability allows attackers to inject malicious regex patterns via the $data option, causing catastrophic backtracking and CPU exhaustion. A 31-character payload can block execution for ~44 seconds, enabling complete denial of service with minimal effort.

🤖 Remediation details

Fix security vulnerabilities in fast-xml-parser, fast-uri, aws-cdk-lib, yaml, minimatch, brace-expansion, @smithy/config-resolver, and ajv

Short summary

This PR remediates security vulnerabilities in eight npm packages: fast-xml-parser, fast-uri, aws-cdk-lib, yaml, minimatch, brace-expansion, @smithy/config-resolver, and ajv. All of these are transitive dependencies resolved through the root package-lock.json. Fixes were applied by bumping three direct dependencies in the root package.json (aws-cdk-lib, @aws-sdk/client-secrets-manager, @aws-sdk/credential-providers) and then refreshing the lockfile; remaining transitive instances were resolved via npm update --package-lock-only.

---

fast-xml-parser

Previously resolved at 4.4.1 as a transitive dependency of @aws-sdk/core, which exact-pinned it. Bumping the direct dependencies @aws-sdk/client-secrets-manager and @aws-sdk/credential-providers to ^3.844.0 caused @aws-sdk/core to update to 3.974.21, which in turn resolved fast-xml-parser to 5.7.3 — well above the minimum patched floor of 4.5.5. No override was needed because the parent's declared range was semver-compatible with the patched version.

fast-uri

Previously resolved at 3.0.6 as a transitive dependency of the aws-cdk-lib-nested copy of ajv (8.17.1). Bumping aws-cdk-lib to ^2.246.0 caused the nested ajv to update to 8.20.0, which resolved fast-uri to 3.1.2 — satisfying the minimum patched version of 3.1.2. The ajv declared range ^3.0.1 was already semver-compatible with the fix.

aws-cdk-lib

A direct dependency in the root package.json, previously declared as ^2.78.0 and resolved at 2.204.0. The declared spec was widened to ^2.246.0 and npm install --package-lock-only resolved it to 2.259.0, directly addressing the vulnerability in aws-cdk-lib itself and simultaneously pulling in patched transitive versions of yaml, minimatch, fast-uri, and ajv (8.x) nested within it.

yaml

Previously resolved at 1.10.2 as a transitive dependency exact-pinned by aws-cdk-lib ("yaml": "1.10.2"). Bumping aws-cdk-lib to ^2.246.0 caused the newer release to pin yaml at 1.10.3, which meets the minimum patched version. No separate lockfile update was required for this package.

minimatch

Resolved in three locations: a root-hoisted instance at 3.1.2 (shared by eslint, glob, jake, and others), an aws-cdk-lib-nested instance at 3.1.2, and a filelist-nested instance at 5.1.6. Bumping aws-cdk-lib to ^2.246.0 caused its nested minimatch to jump to 10.2.5; running npm update minimatch --package-lock-only brought the root instance to 3.1.5 and the filelist instance to 5.1.9, all satisfying the minimum patched floor of 3.1.4 (or equivalent for their respective major lines).

brace-expansion

Resolved in three locations as a transitive dependency of minimatch. All three instances were below the patched floors (1.1.13/2.0.3/5.0.5). Running npm update brace-expansion --package-lock-only resolved the root instance to 1.1.15, the filelist-nested instance to 2.1.1, and the aws-cdk-lib-nested instance to 5.0.6, all satisfying the respective patched version requirements.

@smithy/config-resolver

Previously resolved at 4.1.4 as a transitive dependency of @aws-sdk/client-secrets-manager, @aws-sdk/credential-providers, and related AWS SDK packages. Bumping @aws-sdk/client-secrets-manager and @aws-sdk/credential-providers to ^3.844.0 in the root package.json updated the AWS SDK packages to 3.1070.0, which resolved @smithy/config-resolver to a patched version (≥ 4.4.0) via semver. The parent's declared range ^4.1.4 was already compatible with the fix.

ajv

Resolved in two major-version lines. The 6.x instance (6.12.6), used by eslint and @eslint/eslintrc, was updated to 6.15.0 via npm update ajv --package-lock-only — the parent's ^6.12.4 range is compatible with the patched floor of 6.14.0. The 8.x instance (8.17.1), nested under aws-cdk-lib's copy of table, was updated to 8.20.0 via the same command — table's ^8.0.1 range is compatible with the patched floor of 8.18.0.

---

Version changes

Package	From	To	Why updated
aws-cdk-lib	^2.78.0 → 2.204.0	^2.246.0 → 2.259.0	Direct dep spec widened; direct CVE fix
@aws-sdk/client-secrets-manager	^3.348.0 → 3.840.0	^3.844.0 → 3.1070.0	Direct dep spec widened; parent bump for fast-xml-parser, @smithy/config-resolver
@aws-sdk/credential-providers	^3.348.0 → 3.840.0	^3.844.0 → 3.1070.0	Direct dep spec widened; parent bump for fast-xml-parser, @smithy/config-resolver
@aws-sdk/core	3.840.0	3.974.21	Transitive after parent bump (@aws-sdk/client-secrets-manager)
fast-xml-parser	4.4.1	5.7.3	Transitive CVE fix after parent bump (@aws-sdk/core)
fast-uri	3.0.6	3.1.2	Transitive CVE fix after parent bump (aws-cdk-lib → ajv)
yaml	1.10.2	1.10.3	Transitive CVE fix after parent bump (aws-cdk-lib)
minimatch (root)	3.1.2	3.1.5	Transitive CVE fix via lockfile refresh
minimatch (aws-cdk-lib nested)	3.1.2	10.2.5	Transitive CVE fix after parent bump (aws-cdk-lib)
minimatch (filelist nested)	5.1.6	5.1.9	Transitive CVE fix via lockfile refresh
brace-expansion (root)	1.1.12	1.1.15	Transitive CVE fix via lockfile refresh (minimatch)
brace-expansion (aws-cdk-lib nested)	1.1.12	5.0.6	Transitive CVE fix after parent bump (aws-cdk-lib → minimatch)
brace-expansion (filelist nested)	2.0.2	2.1.1	Transitive CVE fix via lockfile refresh (minimatch)
@smithy/config-resolver	4.1.4	4.6.1+	Transitive CVE fix after parent bump (@aws-sdk/client-secrets-manager)
ajv (6.x, root)	6.12.6	6.15.0	Transitive CVE fix via lockfile refresh (eslint)
ajv (8.x, aws-cdk-lib nested)	8.17.1	8.20.0	Transitive CVE fix via lockfile refresh (table)

[github-actions]

Package lock diff

 2.4.1 -> 2.6.1
node_modules/@aws-cdk/asset-awscli-v1 2.2.242 -> 2.2.282
node_modules/@aws-cdk/asset-node-proxy-agent-v6 2.1.0 -> 2.1.2
node_modules/@aws-cdk/cloud-assembly-schema 45.2.0 -> 54.3.0
node_modules/@aws-cdk/cloud-assembly-schema/node_modules/jsonschema 1.4.1 -> 1.5.0
node_modules/@aws-cdk/cloud-assembly-schema/node_modules/semver 7.7.2 -> 7.8.4
node_modules/@aws-sdk/client-cognito-identity 3.840.0 -> 3.1070.0
node_modules/@aws-sdk/client-secrets-manager 3.840.0 -> 3.1070.0
node_modules/@aws-sdk/client-sso removed
node_modules/@aws-sdk/core 3.840.0 -> 3.974.21
node_modules/@aws-sdk/credential-provider-cognito-identity 3.840.0 -> 3.972.46
node_modules/@aws-sdk/credential-provider-env 3.840.0 -> 3.972.47
node_modules/@aws-sdk/credential-provider-http 3.840.0 -> 3.972.49
node_modules/@aws-sdk/credential-provider-ini 3.840.0 -> 3.972.54
node_modules/@aws-sdk/credential-provider-node 3.840.0 -> 3.972.56
node_modules/@aws-sdk/credential-provider-process 3.840.0 -> 3.972.47
node_modules/@aws-sdk/credential-provider-sso 3.840.0 -> 3.972.53
node_modules/@aws-sdk/credential-provider-web-identity 3.840.0 -> 3.972.53
node_modules/@aws-sdk/credential-providers 3.840.0 -> 3.1070.0
node_modules/@aws-sdk/middleware-host-header removed
node_modules/@aws-sdk/middleware-logger removed
node_modules/@aws-sdk/middleware-recursion-detection removed
node_modules/@aws-sdk/middleware-user-agent removed
node_modules/@aws-sdk/nested-clients 3.840.0 -> 3.997.21
node_modules/@aws-sdk/region-config-resolver removed
node_modules/@aws-sdk/token-providers 3.840.0 -> 3.1069.0
node_modules/@aws-sdk/types 3.840.0 -> 3.973.13
node_modules/@aws-sdk/util-endpoints removed
node_modules/@aws-sdk/util-user-agent-browser removed
node_modules/@aws-sdk/util-user-agent-node removed
node_modules/@aws-sdk/xml-builder 3.821.0 -> 3.972.30
node_modules/@smithy/abort-controller removed
node_modules/@smithy/config-resolver removed
node_modules/@smithy/core 3.6.0 -> 3.25.0
node_modules/@smithy/credential-provider-imds 4.0.6 -> 4.4.0
node_modules/@smithy/fetch-http-handler 5.0.4 -> 5.5.0
node_modules/@smithy/hash-node removed
node_modules/@smithy/invalid-dependency removed
node_modules/@smithy/is-array-buffer removed
node_modules/@smithy/middleware-content-length removed
node_modules/@smithy/middleware-endpoint removed
node_modules/@smithy/middleware-retry removed
node_modules/@smithy/middleware-serde removed
node_modules/@smithy/middleware-stack removed
node_modules/@smithy/node-config-provider removed
node_modules/@smithy/node-http-handler 4.0.6 -> 4.8.0
node_modules/@smithy/property-provider removed
node_modules/@smithy/protocol-http removed
node_modules/@smithy/querystring-builder removed
node_modules/@smithy/querystring-parser removed
node_modules/@smithy/service-error-classification removed
node_modules/@smithy/shared-ini-file-loader removed
node_modules/@smithy/signature-v4 5.1.2 -> 5.5.0
node_modules/@smithy/smithy-client removed
node_modules/@smithy/types 4.3.1 -> 4.15.0
node_modules/@smithy/url-parser removed
node_modules/@smithy/util-base64 removed
node_modules/@smithy/util-body-length-browser removed
node_modules/@smithy/util-body-length-node removed
node_modules/@smithy/util-buffer-from removed
node_modules/@smithy/util-config-provider removed
node_modules/@smithy/util-defaults-mode-browser removed
node_modules/@smithy/util-defaults-mode-node removed
node_modules/@smithy/util-endpoints removed
node_modules/@smithy/util-hex-encoding removed
node_modules/@smithy/util-middleware removed
node_modules/@smithy/util-retry removed
node_modules/@smithy/util-stream removed
node_modules/@smithy/util-uri-escape removed
node_modules/@smithy/util-utf8 removed
node_modules/@types/uuid removed
node_modules/ajv 6.12.6 -> 6.15.0
node_modules/aws-cdk-lib 2.204.0 -> 2.259.0
node_modules/aws-cdk-lib/node_modules/ajv 8.17.1 -> 8.20.0
node_modules/aws-cdk-lib/node_modules/balanced-match 1.0.2 -> 4.0.4
node_modules/aws-cdk-lib/node_modules/brace-expansion 1.1.12 -> 5.0.6
node_modules/aws-cdk-lib/node_modules/concat-map removed
node_modules/aws-cdk-lib/node_modules/fast-uri 3.0.6 -> 3.1.2
node_modules/aws-cdk-lib/node_modules/fs-extra 11.3.0 -> 11.3.5
node_modules/aws-cdk-lib/node_modules/jsonfile 6.1.0 -> 6.2.1
node_modules/aws-cdk-lib/node_modules/minimatch 3.1.2 -> 10.2.5
node_modules/aws-cdk-lib/node_modules/semver 7.7.2 -> 7.8.1
node_modules/aws-cdk-lib/node_modules/yaml 1.10.2 -> 1.10.3
node_modules/bowser 2.11.0 -> 2.14.1
node_modules/brace-expansion 1.1.12 -> 1.1.15
node_modules/constructs 10.4.2 -> 10.6.0
node_modules/fast-xml-parser 4.4.1 -> 5.7.3
node_modules/filelist/node_modules/brace-expansion 2.0.2 -> 2.1.1
node_modules/filelist/node_modules/minimatch 5.1.6 -> 5.1.9
node_modules/minimatch 3.1.2 -> 3.1.5
node_modules/strnum 1.1.2 -> 2.4.0
node_modules/uuid removed
node_modules/@aws-crypto/crc32 added
node_modules/@aws-sdk/credential-provider-login added
node_modules/@aws-sdk/signature-v4-multi-region added
node_modules/@aws/lambda-invoke-store added
node_modules/@nodable/entities added
node_modules/anynum added
node_modules/aws-cdk-lib/node_modules/@aws-cdk/cloud-assembly-api added
node_modules/fast-xml-builder added
node_modules/path-expression-matcher added
node_modules/xml-naming added