fix: upgrade fast-xml-builder to address CVE-2026-44664

[brendan-kellam]

Fixes SOU-1073

Summary

This PR addresses CVE-2026-44664, a regex bypass vulnerability in fast-xml-builder v1.1.5 that allows XML/HTML injection through triple-dash sequences.

Changes

• Added a yarn resolution to force fast-xml-builder to ^1.1.7
• This upgrades the package from v1.1.5 to v1.2.0, which includes fixes for both CVE-2026-44664 and CVE-2026-44665

Dependency Chain

The vulnerability was introduced transitively through:

• @aws-sdk/credential-providers → @aws-sdk/client-cognito-identity → @aws-sdk/core → @aws-sdk/xml-builder → fast-xml-parser@5.7.1 → fast-xml-builder@1.1.5

Verification

Confirmed via yarn why fast-xml-builder that the package is now resolved to v1.2.0.

References

• Dependabot alert
• GHSA-45c6-75p6-83cc

Linear Issue: SOU-1073

  

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7a9da821-4884-4843-9e63-45ccadfbe4c5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/fix-fast-xml-builder-cve-3d87

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2070
Resolved (non-standard)	11
Unresolved	0
Strong copyleft	0
Weak copyleft	38

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (11)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo aidenybai/react-grab LICENSE
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab LICENSE
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab LICENSE
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	GitHub repo livebook-dev/codemirror-lang-elixir LICENSE; npm latest version metadata
element-source	0.0.3	UNKNOWN	MIT	GitHub repo aidenybai/element-source LICENSE
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	GitHub repo livebook-dev/lezer-elixir LICENSE; npm latest version metadata
map-stream	0.1.0	UNKNOWN	MIT	GitHub repo dominictarr/map-stream LICENCE
memorystream	0.3.1	UNKNOWN	MIT	extracted from npm registry licenses[0].type field; confirmed via GitHub repo JSBizon/node-memorystream LICENSE
pause-stream	0.0.11	['MIT', 'Apache2']	MIT OR Apache-2.0	extracted from npm registry license array (dual-license)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo PostHog/posthog-js LICENSE
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo ogt/valid-url LICENSE

[brendan-kellam]

Closing as duplicate — consolidated into #1184, which addresses both CVE-2026-44664 (this PR's CVE) and CVE-2026-44665 with the same fast-xml-builder 1.1.5 → 1.2.0 lockfile refresh.