Skip to content

fix: dep updates#3441

Merged
svidgen merged 10 commits intomainfrom
wirejs/dbots-2026-03-19
Apr 21, 2026
Merged

fix: dep updates#3441
svidgen merged 10 commits intomainfrom
wirejs/dbots-2026-03-19

Conversation

@svidgen
Copy link
Copy Markdown
Member

@svidgen svidgen commented Mar 19, 2026
edited
Loading

  • fast-xml-parser ^5.5.2 -> ^5.5.7 (CVE-2026-26278, entity bypass, DoS, stack overflow)
  • Added minimatch ^3.1.5 resolution (ReDoS across nx, api-extractor, etc.)
  • Added lodash-es ^4.17.23 resolution (prototype pollution)

Addresses alerts: #295, #294, #302, #307-310, #236, #273-275, #282-285, #290, #292

Note: ajv ^8.18.0 resolution attempted but reverted - breaks commitlint strict mode schema validation in commit-msg hook.

Description of changes

CDK / CloudFormation Parameters Changed

Issue #, if available

Description of how you validated changes

Checklist

  • PR description included
  • yarn test passes
  • E2E test run linked
  • Tests are changed or added
  • Relevant documentation is changed or added (and PR referenced)
  • New AWS SDK calls or CloudFormation actions have been added to relevant test and service IAM policies
  • Any CDK or CloudFormation parameter changes are called out explicitly

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@svidgen
fix: resolve dependabot alerts via resolution overrides
acf9614 
- fast-xml-parser ^5.5.2 -> ^5.5.7 (CVE-2026-26278, entity bypass, DoS, stack overflow)
- Added minimatch ^3.1.5 resolution (ReDoS across nx, api-extractor, etc.)
- Added lodash-es ^4.17.23 resolution (prototype pollution)

Addresses alerts: #295, #294, #302, #307-310, #236, #273-275, #282-285, #290, #292

Note: ajv ^8.18.0 resolution attempted but reverted - breaks commitlint
strict mode schema validation in commit-msg hook.

Build: 27 packages pass
Tests: 25 packages pass
@svidgen svidgen requested a review from a team as a code owner March 19, 2026 21:37
@svidgen svidgen requested a review from a team as a code owner March 20, 2026 14:00
@svidgen svidgen force-pushed the wirejs/dbots-2026-03-19 branch 2 times, most recently from 6f89ece to dc21c6e Compare March 20, 2026 22:37
@svidgen
fix: upgrade AWS SDK in test packages to resolve fast-xml-parser enti…
08b0a46 
…ty expansion limit

Upgrade @aws-sdk/* client packages in e2e/test packages to ^3.973.0.
This pulls in @aws-sdk/core@3.973.23 which delegates XML parsing to
@aws-sdk/xml-builder@3.972.15, properly configuring
maxTotalExpansions: Infinity for AWS service responses.

Also add @aws-sdk/xml-builder resolution override to ensure the fixed
version is used globally, since the construct packages hoist an older
version that lacks the parseXML export.

This resolves 'Entity expansion limit exceeded' errors caused by
fast-xml-parser 5.5.7's new default limit of 1000 entity expansions.
@svidgen svidgen force-pushed the wirejs/dbots-2026-03-19 branch from dc21c6e to 08b0a46 Compare March 23, 2026 14:46
svidgen added 7 commits April 2, 2026 15:02
@svidgen
Merge branch 'main' into wirejs/dbots-2026-03-19
e28cbac 
Resolve conflicts in test package.json files: keep upgraded AWS SDK
versions (^3.973.0) from our branch, take main's internal package
version bumps.
@svidgen
fix: align internal package version references after merge from main
f292feb
@svidgen
Merge remote-tracking branch 'origin/main' into wirejs/dbots-2026-03-19
11ed569
@svidgen
chore: update dependency licenses and jsii after merge from main
4b86212
@svidgen
fix: merge main and update dependabot resolutions
e55ac94 
- Merge 7 commits from main including E2E stability fixes and Node 22 compat
- Bump axios ^1.13.5 -> ^1.15.0 (SSRF + header injection CVEs)
- Bump basic-ftp ^5.2.0 -> ^5.2.2 (CRLF injection CVEs)
- Bump lodash ^4.17.23 -> ^4.18.1 (code injection + prototype pollution)
- Bump lodash-es ^4.17.23 -> ^4.18.1 (code injection + prototype pollution)
- Add handlebars ^4.7.9 resolution (JS injection + DoS CVEs)
- Add @xmldom/xmldom ^0.9.9 resolution (XML injection CVE)
- Add path-to-regexp ^0.1.13 resolution (ReDoS CVE)
- Add brace-expansion ^1.1.13 resolution (DoS CVE)
@svidgen
fix: resolve CDK test compilation and fast-xml-parser entity limit fa…
5d222bb 
…ilures

- Remove source-map-support/register import from all 31 CDK backend
  app.ts templates — CDK init template no longer includes this dep,
  and Node 22 has built-in source map support
- Bump fast-xml-parser resolution ^5.5.7 -> ~5.5.12 to fix entity
  expansion limit exceeded errors (default changed to Infinity in
  5.5.10) and address CVE-2026-33036
- Update e2e testing docs: 100% pass rate required, no exceptions
@svidgen
fix: remove unscoped fast-xml-parser resolution to fix entity expansi…
adaf98d 
…on limit

The unscoped resolution forced fast-xml-parser 5.5.x onto the AWS SDK
which expects 4.4.1. Version 5.x introduced entity expansion limits
(default 1000) that break CloudFormation XML parsing for large stacks.

Keep the scoped **/aws-amplify/** resolution for construct packages
while letting the AWS SDK resolve its own compatible version.
@svidgen
Copy link
Copy Markdown
Member Author

svidgen commented Apr 17, 2026

One failure on e2e tests is cleanup. Acceptable failure.

Waiting on PR checks. https://tiny.amazon.com/m3y5ad8n/IsenLink

@svidgen svidgen merged commit bddb2c8 into main Apr 21, 2026
7 of 8 checks passed
@svidgen svidgen deleted the wirejs/dbots-2026-03-19 branch April 21, 2026 14:23
@adrianjoshua-strutt adrianjoshua-strutt mentioned this pull request Apr 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Simone319 Simone319 Simone319 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@svidgen @Simone319