#19619: fix(deps): bump fast-xml-parser override to 5.3.6 to fix DoS vulnerab…

…ility The previous override (5.3.4) was within the vulnerable range (>=4.1.3 <5.3.6) for GHSA-jmr7-xgp7-cmfj (DoS via entity expansion in DOCTYPE). This bumps the pnpm override to 5.3.6 which resolves the high-severity advisory. https://claude.ai/code/session_015UdvDXeHBR7ZVjrtb6tZYj ## Summary Describe the problem and fix in 2–5 bullets: - Problem: - Why it matters: - What changed: - What did NOT change (scope boundary): ## Change Type (select all) - [ ] Bug fix - [ ] Feature - [ ] Refactor - [ ] Docs - [ ] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [ ] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [ ] API / contracts - [ ] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Closes # - Related # ## User-visible / Behavior Changes List user-visible changes (including defaults/config). If none, write `None`. ## Security Impact (required) - New permissions/capabilities? (`Yes/No`) - Secrets/tokens handling changed? (`Yes/No`) - New/changed network calls? (`Yes/No`) - Command/tool execution surface changed? (`Yes/No`) - Data access scope changed? (`Yes/No`) - If any `Yes`, explain risk + mitigation: ## Repro + Verification ### Environment - OS: - Runtime/container: - Model/provider: - Integration/channel (if any): - Relevant config (redacted): ### Steps 1. 2. 3. ### Expected - ### Actual - ## Evidence Attach at least one: - [ ] Failing test/log before + passing after - [ ] Trace/log snippets - [ ] Screenshot/recording - [ ] Perf numbers (if relevant) ## Human Verification (required) What you personally verified (not just CI), and how: - Verified scenarios: - Edge cases checked: - What you did **not** verify: ## Compatibility / Migration - Backward compatible? (`Yes/No`) - Config/env changes? (`Yes/No`) - Migration needed? (`Yes/No`) - If yes, exact upgrade steps: ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: - Files/config to restore: - Known bad symptoms reviewers should watch for: ## Risks and Mitigations List only real risks for this PR. Add/remove entries as needed. If none, write `None`. - Risk: - Mitigation: <!-- greptile_comment --> <h3>Greptile Summary</h3> Bumps the `fast-xml-parser` pnpm override from 5.3.4 to 5.3.6 to resolve GHSA-jmr7-xgp7-cmfj, a high-severity DoS vulnerability via entity expansion in DOCTYPE declarations. The previous override (5.3.4) fell within the vulnerable range (>=4.1.3, <5.3.6). - `package.json`: Override version updated from 5.3.4 → 5.3.6 - `pnpm-lock.yaml`: Lockfile regenerated with the new resolution; also includes minor deduplication of `axios` and `follow-redirects` snapshots (normal lockfile normalization from `pnpm install`) - `fast-xml-parser` is a transitive dependency (consumed by `@aws-sdk/xml-builder`), not directly imported in application code - No functional or behavioral changes expected <h3>Confidence Score: 5/5</h3> - This PR is safe to merge — it is a minimal, well-scoped dependency version bump with no source code changes. - The change is limited to a single pnpm override version bump (5.3.4 → 5.3.6) in package.json plus the corresponding lockfile regeneration. fast-xml-parser is a transitive dependency not directly imported in source code. The lockfile diff shows only expected resolution updates and minor deduplication. No logic, configuration, or behavioral changes are introduced. - No files require special attention. _{Last reviewed commit: f02759a} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->