fix: pin fast-xml-parser to ~5.6.0 to fix 
 entity validation bug

The @nodable/entities 2.x (used by fast-xml-parser >=5.7.0) introduced
a validateEntityName() check that rejects entity names starting with #.
This breaks parsing of valid XML numeric character references like 
(carriage return) in AWS STS responses, causing pipeline-deploy failures.

Pin fast-xml-parser to ~5.6.0 which uses @nodable/entities 1.x (no
validation bug). Also pin @nodable/entities to ^1.0.0 globally to
prevent 2.x from being pulled in transitively.

Fixes: aws-amplify/amplify-backend#3172

Author: adrianjoshua-strutt

package.json

@@ -227,6 +227,7 @@
       "@aws-amplify/data-construct/crypt",
       "@aws-amplify/data-construct/fast-xml-builder",
       "@aws-amplify/data-construct/fast-xml-parser",
+      "@aws-amplify/data-construct/@nodable/entities",
       "@aws-amplify/data-construct/fs-extra",
       "@aws-amplify/data-construct/graceful-fs",
       "@aws-amplify/data-construct/graphql",
@@ -364,6 +365,7 @@
       "@aws-amplify/graphql-api-construct/crypt",
       "@aws-amplify/graphql-api-construct/fast-xml-builder",
       "@aws-amplify/graphql-api-construct/fast-xml-parser",
+      "@aws-amplify/graphql-api-construct/@nodable/entities",
       "@aws-amplify/graphql-api-construct/fs-extra",
       "@aws-amplify/graphql-api-construct/graceful-fs",
       "@aws-amplify/graphql-api-construct/graphql",
@@ -463,7 +465,8 @@
     "semver": "^7.5.2",
     "axios": "^1.15.0",
     "braces": "^3.0.3",
-    "**/aws-amplify/**/fast-xml-parser": "~5.5.12",
+    "**/aws-amplify/**/fast-xml-parser": "~5.6.0",
+    "**/@nodable/entities": "^1.0.0",
     "@aws-sdk/core/@aws-sdk/xml-builder": "^3.972.15",
     "cookie": "^0.7.0",
     "@octokit/request-error": "^5.1.1",

packages/amplify-data-construct/package.json

@@ -145,6 +145,7 @@
     "crypt",
     "fast-xml-builder",
     "fast-xml-parser",
+    "@nodable/entities",
     "fs-extra",
     "graceful-fs",
     "graphql",
@@ -284,7 +285,8 @@
     "ci-info": "^3.2.0",
     "crypt": "^0.0.2",
     "fast-xml-builder": "1.1.1",
-    "fast-xml-parser": "5.5.2",
+    "fast-xml-parser": "~5.6.0",
+    "@nodable/entities": "^1.0.0",
     "fs-extra": "^8.1.0",
     "graceful-fs": "^4.2.0",
     "graphql": "^15.5.0",

packages/amplify-graphql-api-construct/package.json

@@ -146,6 +146,7 @@
     "crypt",
     "fast-xml-builder",
     "fast-xml-parser",
+    "@nodable/entities",
     "fs-extra",
     "graceful-fs",
     "graphql",
@@ -284,7 +285,8 @@
     "ci-info": "^3.2.0",
     "crypt": "^0.0.2",
     "fast-xml-builder": "1.1.1",
-    "fast-xml-parser": "5.5.2",
+    "fast-xml-parser": "~5.6.0",
+    "@nodable/entities": "^1.0.0",
     "fs-extra": "^8.1.0",
     "graceful-fs": "^4.2.0",
     "graphql": "^15.5.0",

yarn.lock

@@ -11538,6 +11538,11 @@
   resolved "https://registry.npmjs.org/@nicolo-ribaudo/chokidar-2/-/chokidar-2-2.1.8-no-fsevents.3.tgz#323d72dd25103d0c4fbdce89dadf574a787b1f9b"
   integrity sha512-s88O1aVtXftvp5bCPB7WnmXc5IwOZZ7YPuwNPt+GtOOXpPvad1LfbmjYv+qII7zP6RU2QGnqve27dnLycEnyEQ==
 
+"@nodable/entities@^1.0.0", "@nodable/entities@^1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@nodable/entities/-/entities-1.1.0.tgz#f98e5ee5a6e987b4cad56eb97be81043d9b8d31d"
+  integrity sha512-bidpxmTBP0pOsxULw6XlxzQpTgrAGLDHGBK/JuWhPDL6ZV0GZ/PmN9CA9do6e+A9lYI6qx6ikJUtJYRxup141g==
+
 "@nodelib/fs.scandir@2.1.5":
   version "2.1.5"
   resolved "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz#7619c2eb21b25483f6d167548b4cfd5a7488c3d5"
@@ -18976,18 +18981,19 @@ fast-xml-builder@1.1.1:
   dependencies:
     path-expression-matcher "^1.1.3"
 
-fast-xml-builder@^1.1.1, fast-xml-builder@^1.1.4:
+fast-xml-builder@^1.1.4:
   version "1.1.4"
   resolved "https://registry.yarnpkg.com/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz#0c407a1d9d5996336c0cd76f7ff785cac6413017"
   integrity sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==
   dependencies:
     path-expression-matcher "^1.1.3"
 
-fast-xml-parser@3.19.0, fast-xml-parser@^3.16.0, fast-xml-parser@~5.5.12:
-  version "5.5.12"
-  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.5.12.tgz#6e50e5a5bbb03c1dc72a9268a9bfe677b1b623b2"
-  integrity sha512-nUR0q8PPfoA/svPM43Gup7vLOZWppaNrYgGmrVqrAVJa7cOH4hMG6FX9M4mQ8dZA1/ObGZHzES7Ed88hxEBSJg==
+fast-xml-parser@3.19.0, fast-xml-parser@^3.16.0, fast-xml-parser@~5.6.0:
+  version "5.6.0"
+  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.6.0.tgz#4ade6df478c2532a462b693278fa6393c295a9e3"
+  integrity sha512-5G+uaEBbOm9M4dgMOV3K/rBzfUNGqGqoUTaYJM3hBwM8t71w07gxLQZoTsjkY8FtfjabqgQHEkeIySBDYeBmJw==
   dependencies:
+    "@nodable/entities" "^1.1.0"
     fast-xml-builder "^1.1.4"
     path-expression-matcher "^1.5.0"
     strnum "^2.2.3"
@@ -19006,15 +19012,6 @@ fast-xml-parser@5.2.5:
   dependencies:
     strnum "^2.1.0"
 
-fast-xml-parser@5.5.2:
-  version "5.5.2"
-  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.5.2.tgz#2c5b9c8d955fe201ecebc2365fc517ed0d329600"
-  integrity sha512-kA6Txdt1cHsk+/qWKuV1jZUHBD6QUXWKhWVBuSmfP5YElW5HvJ/yC7eFCS+DQg7LphBPuUoEBMQ+m1z6UlF24w==
-  dependencies:
-    fast-xml-builder "^1.1.1"
-    path-expression-matcher "^1.1.3"
-    strnum "^2.1.2"
-
 fast-xml-parser@5.5.8:
   version "5.5.8"
   resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.5.8.tgz#929571ed8c5eb96e6d9bd572ba14fc4b84875716"
@@ -24985,7 +24982,7 @@ strnum@^1.0.5:
   resolved "https://registry.yarnpkg.com/strnum/-/strnum-1.1.2.tgz#57bca4fbaa6f271081715dbc9ed7cee5493e28e4"
   integrity sha512-vrN+B7DBIoTTZjnPNewwhx6cBA/H+IS7rfW68n7XxC1y7uoiGQBxaKzqucGUgavX15dJgiGztLJ8vxuEzwqBdA==
 
-strnum@^2.1.0, strnum@^2.1.2, strnum@^2.2.0, strnum@^2.2.3:
+strnum@^2.1.0, strnum@^2.2.0, strnum@^2.2.3:
   version "2.2.3"
   resolved "https://registry.yarnpkg.com/strnum/-/strnum-2.2.3.tgz#0119fce02749a11bb126a4d686ac5dbdf6e57586"
   integrity sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==