V5 Vulnerability fix: bump xml-parser to v4.4.1 for V5

[jackirvine97]

Is this related to a new or existing framework?

React

Is this related to a new or existing API?

Authentication

Is this related to another service?

No response

Describe the feature you'd like to request

• Amplify js v5 uses node library xml-parser < v4.4.1
• xml parser <v4.4.1 is exposed to GHSA-mpg4-rc92-vx8v
• this is preventing production deployments for apps using v5

Describe the solution you'd like

Given the complexity and time required to migrate from v5 to v6, can this dependency be bumped so v5 apps are not blocked from deployments and not exposed to this vulnerability

Describe alternatives you've considered

n/a

Additional context

n/a

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[jackirvine97]

Is #13663 the resolution?

[cwomack]

Hello, @jackirvine97 and thank you for opening this issue. As you already saw, PR #13663 is indeed the resolution to this! The release for this will happen within the next week, but we are working on getting it to build on the "unstable" branch. We'll update this issue when that's ready, as well as when the release happens that includes this.

[jackirvine97]

Brilliant @cwomack , thank you so much for the update and for patching though this fix

[mcintoac-aws]

@cwomack Just wanting to double check that the resolution in PR #13663 is enough to fix the issue? There are exact dependency versions for various @AWS-SDK packages specified within some @aws-amplify packages that are also vulnerable, the @AWS-SDK packages have been updated to "3.621.0" and might require dependency updates in the amplify packages as well.

[jackirvine97]

Other than upgrading to v6, skipping "high" vulnerabilities in my node audit run, or moving to a CICD where I can do a targeted ignore of CVEs, I assume there are no other workarounds? (I have a PRD patch hanging off this)

[haverchuck]

Some context can be found here: aws/aws-sdk-js-v3#6331 (comment)

[ashika112]

Hi everyone, the fix for this is now released on version 5.3.21. Please let us know if there are any question or comments on the fix.

[navv-christofer-flores]

@ashika112 What about aws-amplify v6? I'm having this issue on the latest version too 6.5.0:

[ashika112]

@navv-christofer-flores v6 has the fix as well. In your screenshot I see [email protected] that version does not have the vulnerability. it was the version the fix was released by fast-xml-parser library.