Skip to content

fix: upgrade AWS SDK to resolve fast-xml-parser vulnerabilities#785

Merged
stack72 merged 1 commit intomainfrom
fix-aws-sdk-xml-parser-vulnerability
Mar 19, 2026
Merged

fix: upgrade AWS SDK to resolve fast-xml-parser vulnerabilities#785
stack72 merged 1 commit intomainfrom
fix-aws-sdk-xml-parser-vulnerability

Conversation

@stack72
Copy link
Contributor

@stack72 stack72 commented Mar 19, 2026

Summary

  • Upgrades @aws-sdk/client-cloudcontrol and @aws-sdk/client-s3 from ^3.1002.0 to ^3.1013.0
  • This pulls in @aws-sdk/xml-builder@3.972.14 (up from 3.972.10) which depends on fast-xml-parser@5.5.6 instead of the vulnerable 5.4.1
  • Resolves two transitive dependency vulnerabilities flagged by our dependency audit:

Details

The vulnerability chain was:

@aws-sdk/client-cloudcontrol@3.1002.0
  → @aws-sdk/core@3.973.19
    → @aws-sdk/xml-builder@3.972.10
      → fast-xml-parser@5.4.1 ← vulnerable

After the upgrade:

@aws-sdk/client-cloudcontrol@3.1013.0
  → @aws-sdk/core@3.973.22
    → @aws-sdk/xml-builder@3.972.14
      → fast-xml-parser@5.5.6 ← patched

No code changes were required — this is a version bump in deno.json and the resulting deno.lock update. Type-checking (deno check) passes cleanly.

Test plan

  • deno check main.ts passes
  • CI passes (type-check, lint, tests)
  • deno run audit no longer flags fast-xml-parser

🤖 Generated with Claude Code

@stack72 @claude
fix: upgrade AWS SDK to resolve fast-xml-parser vulnerabilities
bbe5eb3 
Bump @aws-sdk/client-cloudcontrol and @aws-sdk/client-s3 from ^3.1002.0
to ^3.1013.0. This pulls in @aws-sdk/xml-builder@3.972.14 which depends
on fast-xml-parser@5.5.6, resolving two known vulnerabilities in the
previously pinned fast-xml-parser@5.4.1:

- GHSA-8gc5-j5rx-235r
- GHSA-jp2q-39xq-3w4g

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-actions[bot]
github-actions bot approved these changes Mar 19, 2026
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Approved

Clean dependency version bump — no code changes, only deno.json specifier updates and deno.lock regeneration.

Verified:

  • Only deno.json and deno.lock are modified
  • AWS SDK packages bumped from ^3.1002.0 to ^3.1013.0
  • Resolves transitive fast-xml-parser@5.4.1 vulnerabilities (GHSA-8gc5-j5rx-235r, GHSA-jp2q-39xq-3w4g) by pulling in fast-xml-parser@5.5.6 via @aws-sdk/xml-builder@3.972.14
  • No domain code, libswamp imports, or test changes needed
  • No blocking issues

🤖 Generated with Claude Code

github-actions[bot]
github-actions bot reviewed Mar 19, 2026
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adversarial Review

This PR changes exactly two files: deno.json (2-line version bump) and deno.lock (regenerated lockfile). There are zero source code changes.

Critical / High

None.

Medium

None.

Low

None.

Verdict

PASS — Pure dependency version bump (@aws-sdk/client-cloudcontrol and @aws-sdk/client-s3 from ^3.1002.0 to ^3.1013.0) to remediate known CVEs in transitive dependency fast-xml-parser. No application code changed, no API contract changes, no new logic to break. Semver ranges are correct and lockfile pins are consistent.

@stack72 stack72 merged commit 4ded193 into main Mar 19, 2026
7 checks passed
@stack72 stack72 deleted the fix-aws-sdk-xml-parser-vulnerability branch March 19, 2026 23:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stack72