[Aikido] Fix 8 security issues in @aws-sdk/client-secrets-manager, @aws-sdk/credential-providers, minimatch and 2 more

[aikido-autofix]

Upgrade dependencies to fix critical XML parsing vulnerabilities including XSS via entity shadowing, XML bomb DoS attacks, and stack overflow crashes in fast-xml-parser.

✅ 8 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-25896	🚨 CRITICAL	[fast-xml-parser] A dot (.) in DOCTYPE entity names is treated as a regex wildcard, allowing attackers to shadow built-in XML entities with arbitrary values and bypass entity encoding. This leads to XSS when parsed output is rendered.
CVE-2026-26278	HIGH	[fast-xml-parser] XML entity expansion vulnerability allows attackers to cause denial of service by forcing unlimited entity expansion with minimal input, potentially freezing the application for extended periods.
CVE-2026-27942	HIGH	[fast-xml-parser] XML builder with preserveOrder:true causes stack overflow leading to denial of service when processing certain inputs. The application crashes due to improper recursion handling during XML construction.
CVE-2026-26996	LOW	[minimatch] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. Applications passing user-controlled strings as patterns to minimatch() are vulnerable to severe performance degradation or hangs.
CVE-2026-27903	LOW	[minimatch] A ReDoS vulnerability in glob pattern matching causes unbounded recursive backtracking with multiple GLOBSTAR segments, enabling attackers to stall the event loop for tens of seconds via crafted patterns in build tools, CI/CD pipelines, or multi-tenant systems.
CVE-2026-27904	LOW	[minimatch] Nested extglobs (*() and +()) generate regexps with catastrophic backtracking, causing severe ReDoS denial-of-service attacks with minimal input patterns triggering multi-second hangs.
GHSA-6475-r3vj-m8vf	LOW	[@smithy/config-resolver] An attacker with environment access could set an invalid region value, potentially routing AWS API calls to non-AWS hosts. A validation enhancement was added to prevent improper endpoint construction through region input validation.
CVE-2025-69873	LOW	[ajv] A ReDoS vulnerability allows attackers to inject malicious regex patterns via the $data option, causing catastrophic backtracking and CPU exhaustion. A 31-character payload can block execution for ~44 seconds, enabling complete denial of service with minimal effort.

[github-actions]

Package lock diff

 2.4.1 -> 2.6.0
node_modules/@aws-sdk/client-cognito-identity 3.840.0 -> 3.1006.0
node_modules/@aws-sdk/client-secrets-manager 3.840.0 -> 3.1006.0
node_modules/@aws-sdk/client-sso removed
node_modules/@aws-sdk/core 3.840.0 -> 3.973.19
node_modules/@aws-sdk/credential-provider-cognito-identity 3.840.0 -> 3.972.11
node_modules/@aws-sdk/credential-provider-env 3.840.0 -> 3.972.17
node_modules/@aws-sdk/credential-provider-http 3.840.0 -> 3.972.19
node_modules/@aws-sdk/credential-provider-ini 3.840.0 -> 3.972.18
node_modules/@aws-sdk/credential-provider-node 3.840.0 -> 3.972.19
node_modules/@aws-sdk/credential-provider-process 3.840.0 -> 3.972.17
node_modules/@aws-sdk/credential-provider-sso 3.840.0 -> 3.972.18
node_modules/@aws-sdk/credential-provider-web-identity 3.840.0 -> 3.972.18
node_modules/@aws-sdk/credential-providers 3.840.0 -> 3.1006.0
node_modules/@aws-sdk/middleware-host-header 3.840.0 -> 3.972.7
node_modules/@aws-sdk/middleware-logger 3.840.0 -> 3.972.7
node_modules/@aws-sdk/middleware-recursion-detection 3.840.0 -> 3.972.7
node_modules/@aws-sdk/middleware-user-agent 3.840.0 -> 3.972.20
node_modules/@aws-sdk/nested-clients 3.840.0 -> 3.996.8
node_modules/@aws-sdk/region-config-resolver 3.840.0 -> 3.972.7
node_modules/@aws-sdk/token-providers 3.840.0 -> 3.1005.0
node_modules/@aws-sdk/types 3.840.0 -> 3.973.5
node_modules/@aws-sdk/util-endpoints 3.840.0 -> 3.996.4
node_modules/@aws-sdk/util-user-agent-browser 3.840.0 -> 3.972.7
node_modules/@aws-sdk/util-user-agent-node 3.840.0 -> 3.973.5
node_modules/@aws-sdk/xml-builder 3.821.0 -> 3.972.10
node_modules/@smithy/abort-controller 4.0.4 -> 4.2.11
node_modules/@smithy/config-resolver 4.1.4 -> 4.4.10
node_modules/@smithy/core 3.6.0 -> 3.23.9
node_modules/@smithy/credential-provider-imds 4.0.6 -> 4.2.11
node_modules/@smithy/fetch-http-handler 5.0.4 -> 5.3.13
node_modules/@smithy/hash-node 4.0.4 -> 4.2.11
node_modules/@smithy/invalid-dependency 4.0.4 -> 4.2.11
node_modules/@smithy/is-array-buffer 4.0.0 -> 4.2.2
node_modules/@smithy/middleware-content-length 4.0.4 -> 4.2.11
node_modules/@smithy/middleware-endpoint 4.1.13 -> 4.4.23
node_modules/@smithy/middleware-retry 4.1.14 -> 4.4.40
node_modules/@smithy/middleware-serde 4.0.8 -> 4.2.12
node_modules/@smithy/middleware-stack 4.0.4 -> 4.2.11
node_modules/@smithy/node-config-provider 4.1.3 -> 4.3.11
node_modules/@smithy/node-http-handler 4.0.6 -> 4.4.14
node_modules/@smithy/property-provider 4.0.4 -> 4.2.11
node_modules/@smithy/protocol-http 5.1.2 -> 5.3.11
node_modules/@smithy/querystring-builder 4.0.4 -> 4.2.11
node_modules/@smithy/querystring-parser 4.0.4 -> 4.2.11
node_modules/@smithy/service-error-classification 4.0.6 -> 4.2.11
node_modules/@smithy/shared-ini-file-loader 4.0.4 -> 4.4.6
node_modules/@smithy/signature-v4 5.1.2 -> 5.3.11
node_modules/@smithy/smithy-client 4.4.5 -> 4.12.3
node_modules/@smithy/types 4.3.1 -> 4.13.0
node_modules/@smithy/url-parser 4.0.4 -> 4.2.11
node_modules/@smithy/util-base64 4.0.0 -> 4.3.2
node_modules/@smithy/util-body-length-browser 4.0.0 -> 4.2.2
node_modules/@smithy/util-body-length-node 4.0.0 -> 4.2.3
node_modules/@smithy/util-buffer-from 4.0.0 -> 4.2.2
node_modules/@smithy/util-config-provider 4.0.0 -> 4.2.2
node_modules/@smithy/util-defaults-mode-browser 4.0.21 -> 4.3.39
node_modules/@smithy/util-defaults-mode-node 4.0.21 -> 4.2.42
node_modules/@smithy/util-endpoints 3.0.6 -> 3.3.2
node_modules/@smithy/util-hex-encoding 4.0.0 -> 4.2.2
node_modules/@smithy/util-middleware 4.0.4 -> 4.2.11
node_modules/@smithy/util-retry 4.0.6 -> 4.2.11
node_modules/@smithy/util-stream 4.2.2 -> 4.5.17
node_modules/@smithy/util-uri-escape 4.0.0 -> 4.2.2
node_modules/@smithy/util-utf8 4.0.0 -> 4.2.2
node_modules/@types/uuid removed
node_modules/ajv 6.12.6 -> 6.14.0
node_modules/bowser 2.11.0 -> 2.14.1
node_modules/fast-xml-parser 4.4.1 -> 5.4.1
node_modules/filelist/node_modules/minimatch 5.1.6 -> 5.1.9
node_modules/minimatch 3.1.2 -> 3.1.5
node_modules/strnum 1.1.2 -> 2.2.0
node_modules/uuid removed
node_modules/@aws-sdk/credential-provider-login added
node_modules/@aws/lambda-invoke-store added
node_modules/@smithy/uuid added
node_modules/fast-xml-builder added
node_modules/path-expression-matcher added