From efd1941b27e7a86e83e9cd843595c5bff2673841 Mon Sep 17 00:00:00 2001
From: Nick McCready <nemtcan@gmail.com>
Date: Wed, 18 Feb 2026 13:24:35 -0500
Subject: [PATCH] chore: bump fast-xml-parser override to 5.3.6 (fix CVE DoS
 via entity expansion)

Fixes GHSA-jmr7-xgp7-cmfj (high severity) - fast-xml-parser DoS through
entity expansion in DOCTYPE. Bumps override from 5.3.4 to 5.3.6.

This resolves all 22 high severity vulnerabilities which were transitive
through @aws-sdk/xml-builder and commit-and-tag-version.

Remaining: 7 moderate (ajv ReDoS via eslint/serve - known residuals,
require breaking changes to fix).
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index fae54f8..32fe3e9 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -6311,9 +6311,9 @@
       "license": "BSD-3-Clause"
     },
     "node_modules/fast-xml-parser": {
-      "version": "5.3.4",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.3.4.tgz",
-      "integrity": "sha512-EFd6afGmXlCx8H8WTZHhAoDaWaGyuIBoZJ2mknrNxug+aZKjkp0a0dlars9Izl+jF+7Gu1/5f/2h68cQpe0IiA==",
+      "version": "5.3.6",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.3.6.tgz",
+      "integrity": "sha512-QNI3sAvSvaOiaMl8FYU4trnEzCwiRr8XMWgAHzlrWpTSj+QaCSvOf1h82OEP1s4hiAXhnbXSyFWCf4ldZzZRVA==",
       "funding": [
         {
           "type": "github",
@@ -6322,7 +6322,7 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "strnum": "^2.1.0"
+        "strnum": "^2.1.2"
       },
       "bin": {
         "fxparser": "src/cli/cli.js"
diff --git a/package.json b/package.json
index 75813bf..69a0e95 100644
--- a/package.json
+++ b/package.json
@@ -57,7 +57,7 @@
     "typecheck": "tsc --noEmit"
   },
   "overrides": {
-    "fast-xml-parser": "5.3.4"
+    "fast-xml-parser": "5.3.6"
   },
   "dependencies": {
     "@aws-sdk/client-cloudformation": "^3.637.0",