fix: dep updates (#3441)

- fast-xml-parser ^5.5.2 -> ^5.5.7 (CVE-2026-26278, entity bypass, DoS,
stack overflow)
- Added minimatch ^3.1.5 resolution (ReDoS across nx, api-extractor,
etc.)
- Added lodash-es ^4.17.23 resolution (prototype pollution)

Addresses alerts: #295, #294, #302, #307-310, #236, #273-275, #282-285,
#290, #292

Note: ajv ^8.18.0 resolution attempted but reverted - breaks commitlint
strict mode schema validation in commit-msg hook.


<!--
Please make sure to read the Pull Request Guidelines:

https://github.com/aws-amplify/amplify-cli/blob/master/CONTRIBUTING.md#pull-requests
-->

#### Description of changes

<!--
Thank you for your Pull Request! Please provide a description above and
review
the requirements below.
-->

##### CDK / CloudFormation Parameters Changed

<!--
Please list any changes to the CDK/CFN params, with a link to references
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html

e.g.

* Conditionally added support for `Code` based AppSync Functions:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-functionconfiguration.html#cfn-appsync-functionconfiguration-code
* Conditionally added support for `Code` based AppSync Resolvers:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-resolver.html#cfn-appsync-resolver-code
-->

#### Issue #, if available

<!-- Also, please reference any associated PRs for documentation
updates. -->

#### Description of how you validated changes

#### Checklist

<!-- Remove items that do not apply. For completed items, change [ ] to
[x]. -->

- [ ] PR description included
- [ ] `yarn test` passes
- [ ] E2E test run linked
- [ ] Tests are [changed or
added](https://github.com/aws-amplify/amplify-cli/blob/master/CONTRIBUTING.md#tests)
- [ ] Relevant documentation is changed or added (and PR referenced)
- [ ] New AWS SDK calls or CloudFormation actions have been added to
relevant test and service IAM policies
- [ ] Any CDK or CloudFormation parameter changes are called out
explicitly

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Author: svidgen

.agent-docs/DEPENDABOT.md

@@ -102,3 +102,8 @@ yarn e2e-monitor {batchId}
 - Group related updates together when possible
 - Document breaking changes in commit messages
 - Check for peer dependency conflicts after updates
+- Git commit hooks (husky pre-commit) run `yarn extract-dependency-licenses` which updates `dependency_licenses.txt`. Because the hook runs after staging, the updated file may not be included in the commit. **Always check `git status` after committing** for unstaged changes to `dependency_licenses.txt` and amend the commit if needed:
+  ```bash
+  git add dependency_licenses.txt
+  git commit --amend --no-edit
+  ```

.agent-docs/E2E_TESTING.md

@@ -98,6 +98,10 @@ git checkout <your-branch>
 git stash pop
 ```
 
+## Success Criteria
+
+A passing e2e run means **100% of tests pass with zero failures**. There is no "close enough" — if any test fails, the run has failed and the failures must be investigated and fixed. Do not dismiss failures as pre-existing or infrastructure-related without verifying on main and fixing them.
+
 ## Common Failure Patterns
 
 | Pattern                  | Symptoms                                           | Action                                            |

dependency_licenses.txt

@@ -450,7 +450,7 @@
     "**/jake/async": "^2.6.4",
     "**/nth-check": "^2.0.1",
     "aws-cdk-lib": "2.224.0",
-    "lodash": "^4.17.23",
+    "lodash": "^4.18.1",
     "node-fetch": "^2.6.7",
     "cross-fetch": "^2.2.6",
     "trim-newlines": "^3.0.1",
@@ -461,10 +461,10 @@
     "ejs": "^3.1.7",
     "json5": "^2.2.3",
     "semver": "^7.5.2",
-    "axios": "^1.13.5",
+    "axios": "^1.15.0",
     "braces": "^3.0.3",
-    "**/aws-amplify/**/fast-xml-parser": "^5.5.2",
-    "fast-xml-parser": "^5.5.2",
+    "**/aws-amplify/**/fast-xml-parser": "~5.5.12",
+    "@aws-sdk/core/@aws-sdk/xml-builder": "^3.972.15",
     "cookie": "^0.7.0",
     "@octokit/request-error": "^5.1.1",
     "@octokit/request": "^8.4.1",
@@ -476,7 +476,13 @@
     "js-yaml": "^4.1.1",
     "diff": "^8.0.3",
     "tmp": "^0.2.5",
-    "basic-ftp": "^5.2.0"
+    "basic-ftp": "^5.2.2",
+    "lodash-es": "^4.18.1",
+    "minimatch": "^3.1.5",
+    "handlebars": "^4.7.9",
+    "@xmldom/xmldom": "^0.9.9",
+    "path-to-regexp": "^0.1.13",
+    "brace-expansion": "^1.1.13"
   },
   "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
 }

package.json

@@ -9,24 +9,24 @@
     "@aws-amplify/ai-constructs": "^1.6.1",
     "@aws-amplify/backend-output-schemas": "^1.0.0",
     "@aws-amplify/backend-output-storage": "^1.0.0",
-    "@aws-amplify/graphql-auth-transformer": "4.2.5",
-    "@aws-amplify/graphql-conversation-transformer": "1.1.13",
-    "@aws-amplify/graphql-default-value-transformer": "3.1.15",
+    "@aws-amplify/graphql-auth-transformer": "4.2.7",
+    "@aws-amplify/graphql-conversation-transformer": "1.1.14",
+    "@aws-amplify/graphql-default-value-transformer": "3.1.16",
     "@aws-amplify/graphql-directives": "2.8.0",
-    "@aws-amplify/graphql-function-transformer": "3.1.17",
-    "@aws-amplify/graphql-generation-transformer": "1.2.5",
-    "@aws-amplify/graphql-http-transformer": "3.0.20",
-    "@aws-amplify/graphql-index-transformer": "3.1.0",
-    "@aws-amplify/graphql-maps-to-transformer": "4.0.20",
-    "@aws-amplify/graphql-model-transformer": "3.4.0",
-    "@aws-amplify/graphql-predictions-transformer": "3.0.20",
-    "@aws-amplify/graphql-relational-transformer": "3.1.12",
-    "@aws-amplify/graphql-searchable-transformer": "3.1.0",
-    "@aws-amplify/graphql-sql-transformer": "0.4.20",
-    "@aws-amplify/graphql-transformer": "2.4.0",
-    "@aws-amplify/graphql-transformer-core": "3.5.0",
+    "@aws-amplify/graphql-function-transformer": "3.1.18",
+    "@aws-amplify/graphql-generation-transformer": "1.2.6",
+    "@aws-amplify/graphql-http-transformer": "3.0.21",
+    "@aws-amplify/graphql-index-transformer": "3.1.1",
+    "@aws-amplify/graphql-maps-to-transformer": "4.0.22",
+    "@aws-amplify/graphql-model-transformer": "3.4.1",
+    "@aws-amplify/graphql-predictions-transformer": "3.0.21",
+    "@aws-amplify/graphql-relational-transformer": "3.1.13",
+    "@aws-amplify/graphql-searchable-transformer": "3.1.2",
+    "@aws-amplify/graphql-sql-transformer": "0.4.21",
+    "@aws-amplify/graphql-transformer": "2.4.2",
+    "@aws-amplify/graphql-transformer-core": "3.5.1",
     "@aws-amplify/graphql-transformer-interfaces": "4.3.0",
-    "@aws-amplify/graphql-validate-transformer": "1.1.5",
+    "@aws-amplify/graphql-validate-transformer": "1.1.6",
     "@aws-amplify/platform-core": "^1.0.0",
     "@aws-amplify/plugin-types": "^1.0.0",
     "@aws-crypto/crc32": "5.2.0",
@@ -145,7 +145,7 @@
     "zod": "^3.22.2"
   },
   "dependencies": {
-    "@aws-amplify/graphql-api-construct": "1.21.0",
+    "@aws-amplify/graphql-api-construct": "1.21.2",
     "aws-cdk-lib": "^2.224.0",
     "constructs": "^10.3.0"
   },
@@ -8592,6 +8592,6 @@
     }
   },
   "types": {},
-  "version": "1.17.0",
-  "fingerprint": "XQTfFtyRagbevfbYjx5v7BCyCW/jP4XSnhmmppM9OCE="
+  "version": "1.17.2",
+  "fingerprint": "CjaXiYUP5ydMk5+Q2+ANminVCU4VrEaFAfud5KNeIwY="
 }

packages/amplify-data-construct/.jsii

@@ -22,21 +22,22 @@
     "clean": "rimraf ./lib"
   },
   "dependencies": {
-    "@aws-sdk/client-amplifybackend": "3.828.0",
-    "@aws-sdk/client-appsync": "3.827.0",
-    "@aws-sdk/client-cloudformation": "3.828.0",
-    "@aws-sdk/client-cognito-identity-provider": "3.826.0",
-    "@aws-sdk/client-ec2": "3.624.0",
-    "@aws-sdk/client-iam": "3.828.0",
-    "@aws-sdk/client-kms": "3.624.0",
-    "@aws-sdk/client-lambda": "3.828.0",
-    "@aws-sdk/client-rds": "3.624.0",
-    "@aws-sdk/client-rds-data": "3.624.0",
-    "@aws-sdk/client-secrets-manager": "3.624.0",
-    "@aws-sdk/client-ssm": "3.624.0",
-    "@aws-sdk/client-sts": "3.624.0",
-    "@aws-sdk/credential-providers": "3.624.0",
-    "@aws-sdk/lib-dynamodb": "3.826.0",
+    "@aws-sdk/client-amplifybackend": "^3.973.0",
+    "@aws-sdk/client-appsync": "^3.973.0",
+    "@aws-sdk/client-cloudformation": "^3.973.0",
+    "@aws-sdk/client-cognito-identity-provider": "^3.973.0",
+    "@aws-sdk/client-ec2": "^3.973.0",
+    "@aws-sdk/client-iam": "^3.973.0",
+    "@aws-sdk/client-kms": "^3.973.0",
+    "@aws-sdk/client-lambda": "^3.973.0",
+    "@aws-sdk/client-rds": "^3.973.0",
+    "@aws-sdk/client-rds-data": "^3.973.0",
+    "@aws-sdk/client-s3": "^3.973.0",
+    "@aws-sdk/client-secrets-manager": "^3.973.0",
+    "@aws-sdk/client-ssm": "^3.973.0",
+    "@aws-sdk/client-sts": "^3.973.0",
+    "@aws-sdk/credential-providers": "^3.973.0",
+    "@aws-sdk/lib-dynamodb": "^3.973.0",
     "amplify-headless-interface": "^1.17.7",
     "axios": "^1.13.5",
     "chalk": "^4.1.1",

packages/amplify-e2e-core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "amplify-category-api-e2e-tests",
-  "version": "4.1.13",
+  "version": "4.1.12",
   "description": "E2e test suite",
   "repository": {
     "type": "git",
@@ -27,20 +27,20 @@
     "@aws-amplify/amplify-app": "^5.0.35",
     "@aws-amplify/graphql-schema-generator": "0.11.14",
     "@aws-amplify/graphql-transformer-core": "3.5.1",
-    "@aws-sdk/client-amplify": "^3.812.0",
-    "@aws-sdk/client-appsync": "^3.812.0",
-    "@aws-sdk/client-cloudformation": "^3.812.0",
-    "@aws-sdk/client-codebuild": "^3.812.0",
-    "@aws-sdk/client-cognito-identity-provider": "^3.812.0",
-    "@aws-sdk/client-dynamodb": "^3.812.0",
-    "@aws-sdk/client-iam": "^3.812.0",
-    "@aws-sdk/client-organizations": "^3.812.0",
-    "@aws-sdk/client-rds": "^3.812.0",
-    "@aws-sdk/client-s3": "^3.812.0",
-    "@aws-sdk/client-ssm": "^3.812.0",
-    "@aws-sdk/client-sts": "^3.812.0",
-    "@aws-sdk/credential-provider-node": "^3.812.0",
-    "@aws-sdk/credential-providers": "3.828.0",
+    "@aws-sdk/client-amplify": "^3.973.0",
+    "@aws-sdk/client-appsync": "^3.973.0",
+    "@aws-sdk/client-cloudformation": "^3.973.0",
+    "@aws-sdk/client-codebuild": "3.812.0",
+    "@aws-sdk/client-cognito-identity-provider": "^3.973.0",
+    "@aws-sdk/client-dynamodb": "^3.973.0",
+    "@aws-sdk/client-iam": "^3.973.0",
+    "@aws-sdk/client-organizations": "^3.973.0",
+    "@aws-sdk/client-rds": "^3.973.0",
+    "@aws-sdk/client-s3": "^3.973.0",
+    "@aws-sdk/client-ssm": "^3.973.0",
+    "@aws-sdk/client-sts": "^3.973.0",
+    "@aws-sdk/credential-provider-node": "^3.972.0",
+    "@aws-sdk/credential-providers": "^3.973.0",
     "@smithy/util-retry": "^4.1.2",
     "amplify-category-api-e2e-core": "5.0.11",
     "aws-amplify": "^4.2.8",

packages/amplify-e2e-tests/package.json

@@ -1,6 +1,5 @@
 #!/usr/bin/env node
 
-import 'source-map-support/register';
 import * as cdk from 'aws-cdk-lib';
 import * as appsync from 'aws-cdk-lib/aws-appsync';
 // @ts-ignore

packages/amplify-graphql-api-construct-tests/src/__tests__/backends/add-resources/app.ts

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-import 'source-map-support/register';
 import { App, Stack, Duration, RemovalPolicy, CfnOutput } from 'aws-cdk-lib';
 import { Role, PolicyDocument, PolicyStatement, ServicePrincipal, Effect } from 'aws-cdk-lib/aws-iam';
 import { UserPool, UserPoolClient } from 'aws-cdk-lib/aws-cognito';

packages/amplify-graphql-api-construct-tests/src/__tests__/backends/admin-role/app.ts

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-import 'source-map-support/register';
 import { App, Stack, Duration } from 'aws-cdk-lib';
 import { Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
 import { UserPool, CfnIdentityPool } from 'aws-cdk-lib/aws-cognito';