[Aikido] Fix 11 security issues in @aws-sdk/client-secrets-manager, @aws-sdk/credential-providers, aws-cdk-lib and 4 more

[aikido-autofix]

Upgrade dependencies to fix critical XML parsing vulnerabilities including XSS via entity shadowing, XML entity expansion DoS, stack overflow, and numeric entity bypass attacks.

✅ 11 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-25896	🚨 CRITICAL	[fast-xml-parser] A dot (.) in DOCTYPE entity names is treated as a regex wildcard, allowing attackers to shadow built-in XML entities with arbitrary values and bypass entity encoding. This leads to XSS when parsed output is rendered.
CVE-2026-26278	HIGH	[fast-xml-parser] XML entity expansion vulnerability allows attackers to cause denial of service by forcing unlimited entity expansion with minimal input, potentially freezing the application for extended periods.
CVE-2026-27942	HIGH	[fast-xml-parser] XML builder with preserveOrder:true causes stack overflow leading to denial of service when processing certain inputs. The application crashes due to improper recursion handling during XML construction.
CVE-2026-33036	HIGH	[fast-xml-parser] Numeric character references and standard XML entities bypass entity expansion limits, allowing attackers to cause denial of service through excessive memory allocation and CPU consumption via massive numbers of entity references.
CVE-2026-33532	MEDIUM	[yaml] A stack overflow vulnerability in the compose/resolve phase allows attackers to trigger a RangeError via deeply nested YAML structures (~2–10 KB), potentially causing denial of service or process termination in applications that don't catch this unexpected exception type.
CVE-2026-26996	LOW	[minimatch] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. Applications passing user-controlled strings as patterns to minimatch() are vulnerable to severe performance degradation or hangs.
CVE-2026-27903	LOW	[minimatch] A ReDoS vulnerability in glob pattern matching causes unbounded recursive backtracking with multiple GLOBSTAR segments, enabling attackers to stall the event loop for tens of seconds via crafted patterns in build tools, CI/CD pipelines, or multi-tenant systems.
CVE-2026-27904	LOW	[minimatch] Nested extglobs (*() and +()) generate regexps with catastrophic backtracking, causing severe ReDoS denial-of-service attacks with minimal input patterns triggering multi-second hangs.
GHSA-6475-r3vj-m8vf	LOW	[@smithy/config-resolver] An attacker with environment access could set an invalid region value, potentially routing AWS API calls to non-AWS hosts. A validation enhancement was added to prevent improper endpoint construction through region input validation.
CVE-2026-33750	LOW	[brace-expansion] A brace pattern with zero step value (e.g., {1..2..0}) causes an infinite loop that hangs the process for seconds and allocates excessive memory, resulting in a denial of service. Untrusted input strings passed to expand() are vulnerable to this attack with just 10 bytes of malicious input.
CVE-2025-69873	LOW	[ajv] A ReDoS vulnerability allows attackers to inject malicious regex patterns via the $data option, causing catastrophic backtracking and CPU exhaustion. A 31-character payload can block execution for ~44 seconds, enabling complete denial of service with minimal effort.

[github-actions]

Package lock diff

 2.4.1 -> 2.6.0
node_modules/@aws-cdk/asset-awscli-v1 2.2.242 -> 2.2.263
node_modules/@aws-cdk/asset-node-proxy-agent-v6 2.1.0 -> 2.1.1
node_modules/@aws-cdk/cloud-assembly-schema 45.2.0 -> 53.9.0
node_modules/@aws-cdk/cloud-assembly-schema/node_modules/semver 7.7.2 -> 7.7.4
node_modules/@aws-sdk/client-cognito-identity 3.840.0 -> 3.1019.0
node_modules/@aws-sdk/client-secrets-manager 3.840.0 -> 3.1019.0
node_modules/@aws-sdk/client-sso removed
node_modules/@aws-sdk/core 3.840.0 -> 3.973.25
node_modules/@aws-sdk/credential-provider-cognito-identity 3.840.0 -> 3.972.19
node_modules/@aws-sdk/credential-provider-env 3.840.0 -> 3.972.23
node_modules/@aws-sdk/credential-provider-http 3.840.0 -> 3.972.25
node_modules/@aws-sdk/credential-provider-ini 3.840.0 -> 3.972.26
node_modules/@aws-sdk/credential-provider-node 3.840.0 -> 3.972.27
node_modules/@aws-sdk/credential-provider-process 3.840.0 -> 3.972.23
node_modules/@aws-sdk/credential-provider-sso 3.840.0 -> 3.972.26
node_modules/@aws-sdk/credential-provider-web-identity 3.840.0 -> 3.972.26
node_modules/@aws-sdk/credential-providers 3.840.0 -> 3.1019.0
node_modules/@aws-sdk/middleware-host-header 3.840.0 -> 3.972.8
node_modules/@aws-sdk/middleware-logger 3.840.0 -> 3.972.8
node_modules/@aws-sdk/middleware-recursion-detection 3.840.0 -> 3.972.9
node_modules/@aws-sdk/middleware-user-agent 3.840.0 -> 3.972.26
node_modules/@aws-sdk/nested-clients 3.840.0 -> 3.996.16
node_modules/@aws-sdk/region-config-resolver 3.840.0 -> 3.972.10
node_modules/@aws-sdk/token-providers 3.840.0 -> 3.1019.0
node_modules/@aws-sdk/types 3.840.0 -> 3.973.6
node_modules/@aws-sdk/util-endpoints 3.840.0 -> 3.996.5
node_modules/@aws-sdk/util-user-agent-browser 3.840.0 -> 3.972.8
node_modules/@aws-sdk/util-user-agent-node 3.840.0 -> 3.973.12
node_modules/@aws-sdk/xml-builder 3.821.0 -> 3.972.16
node_modules/@smithy/abort-controller 4.0.4 -> 4.2.12
node_modules/@smithy/config-resolver 4.1.4 -> 4.4.13
node_modules/@smithy/core 3.6.0 -> 3.23.12
node_modules/@smithy/credential-provider-imds 4.0.6 -> 4.2.12
node_modules/@smithy/fetch-http-handler 5.0.4 -> 5.3.15
node_modules/@smithy/hash-node 4.0.4 -> 4.2.12
node_modules/@smithy/invalid-dependency 4.0.4 -> 4.2.12
node_modules/@smithy/is-array-buffer 4.0.0 -> 4.2.2
node_modules/@smithy/middleware-content-length 4.0.4 -> 4.2.12
node_modules/@smithy/middleware-endpoint 4.1.13 -> 4.4.27
node_modules/@smithy/middleware-retry 4.1.14 -> 4.4.44
node_modules/@smithy/middleware-serde 4.0.8 -> 4.2.15
node_modules/@smithy/middleware-stack 4.0.4 -> 4.2.12
node_modules/@smithy/node-config-provider 4.1.3 -> 4.3.12
node_modules/@smithy/node-http-handler 4.0.6 -> 4.5.0
node_modules/@smithy/property-provider 4.0.4 -> 4.2.12
node_modules/@smithy/protocol-http 5.1.2 -> 5.3.12
node_modules/@smithy/querystring-builder 4.0.4 -> 4.2.12
node_modules/@smithy/querystring-parser 4.0.4 -> 4.2.12
node_modules/@smithy/service-error-classification 4.0.6 -> 4.2.12
node_modules/@smithy/shared-ini-file-loader 4.0.4 -> 4.4.7
node_modules/@smithy/signature-v4 5.1.2 -> 5.3.12
node_modules/@smithy/smithy-client 4.4.5 -> 4.12.7
node_modules/@smithy/types 4.3.1 -> 4.13.1
node_modules/@smithy/url-parser 4.0.4 -> 4.2.12
node_modules/@smithy/util-base64 4.0.0 -> 4.3.2
node_modules/@smithy/util-body-length-browser 4.0.0 -> 4.2.2
node_modules/@smithy/util-body-length-node 4.0.0 -> 4.2.3
node_modules/@smithy/util-buffer-from 4.0.0 -> 4.2.2
node_modules/@smithy/util-config-provider 4.0.0 -> 4.2.2
node_modules/@smithy/util-defaults-mode-browser 4.0.21 -> 4.3.43
node_modules/@smithy/util-defaults-mode-node 4.0.21 -> 4.2.47
node_modules/@smithy/util-endpoints 3.0.6 -> 3.3.3
node_modules/@smithy/util-hex-encoding 4.0.0 -> 4.2.2
node_modules/@smithy/util-middleware 4.0.4 -> 4.2.12
node_modules/@smithy/util-retry 4.0.6 -> 4.2.12
node_modules/@smithy/util-stream 4.2.2 -> 4.5.20
node_modules/@smithy/util-uri-escape 4.0.0 -> 4.2.2
node_modules/@smithy/util-utf8 4.0.0 -> 4.2.2
node_modules/@types/uuid removed
node_modules/ajv 6.12.6 -> 6.14.0
node_modules/aws-cdk-lib 2.204.0 -> 2.245.0
node_modules/aws-cdk-lib/node_modules/ajv 8.17.1 -> 8.18.0
node_modules/aws-cdk-lib/node_modules/balanced-match 1.0.2 -> 4.0.4
node_modules/aws-cdk-lib/node_modules/brace-expansion 1.1.12 -> 5.0.3
node_modules/aws-cdk-lib/node_modules/concat-map removed
node_modules/aws-cdk-lib/node_modules/fast-uri 3.0.6 -> 3.1.0
node_modules/aws-cdk-lib/node_modules/fs-extra 11.3.0 -> 11.3.3
node_modules/aws-cdk-lib/node_modules/jsonfile 6.1.0 -> 6.2.0
node_modules/aws-cdk-lib/node_modules/minimatch 3.1.2 -> 10.2.4
node_modules/aws-cdk-lib/node_modules/semver 7.7.2 -> 7.7.4
node_modules/aws-cdk-lib/node_modules/yaml 1.10.2 -> 1.10.3
node_modules/bowser 2.11.0 -> 2.14.1
node_modules/brace-expansion 1.1.12 -> 1.1.13
node_modules/constructs 10.4.2 -> 10.6.0
node_modules/fast-xml-parser 4.4.1 -> 5.5.8
node_modules/filelist/node_modules/brace-expansion 2.0.2 -> 2.0.3
node_modules/filelist/node_modules/minimatch 5.1.6 -> 5.1.9
node_modules/minimatch 3.1.2 -> 3.1.5
node_modules/strnum 1.1.2 -> 2.2.2
node_modules/uuid removed
node_modules/@aws-sdk/credential-provider-login added
node_modules/@aws/lambda-invoke-store added
node_modules/@smithy/uuid added
node_modules/aws-cdk-lib/node_modules/@aws-cdk/cloud-assembly-api added
node_modules/aws-cdk-lib/node_modules/@aws-cdk/cloud-assembly-api/node_modules/jsonschema added
node_modules/aws-cdk-lib/node_modules/@aws-cdk/cloud-assembly-api/node_modules/semver added
node_modules/fast-xml-builder added
node_modules/path-expression-matcher added