Upgrade AWS SDK in /serverless to fix critical fast-xml-parser vulnerabilities

[Copilot]

fast-xml-parser 4.1.3–5.3.5 has two known CVEs (GHSA-jmr7-xgp7-cmfj, GHSA-m7jm-9gc2-mpf2) reachable via AWS SDK transitive deps. Dependabot couldn't auto-fix due to the tangled AWS SDK interdependency graph.

Changes

• package.json: Raised all @aws-sdk/* minimum versions to ^3.994.0 (previously fragmented across 3.543–3.982)
• package-lock.json: Regenerated — all fast-xml-parser instances now resolve to 5.3.6 (patched), down from 4.4.1 and 5.3.4

Before / After

Package	Before	After
@aws-sdk/client-api-gateway	^3.543.0 → 3.758.0	^3.994.0 → 3.995.0
@aws-sdk/client-dynamodb	^3.543.0 → 3.772.0	^3.994.0 → 3.995.0
fast-xml-parser (all instances)	4.4.1 / 5.3.4 (vulnerable)	5.3.6 (patched)

Remaining audit findings (39 high/low) are all in devDependencies (eslint, jest, minimatch chains) and require breaking changes outside scope here.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• cdn.sheetjs.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/_temp/ghcca-node/node/bin/npm install (dns block)
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/_temp/ghcca-node/node/bin/npm update --package-lock-only (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.