Bump fast-xml-parser and @aws-sdk/client-securityhub

[dependabot]

Bumps fast-xml-parser and @aws-sdk/client-securityhub. These dependencies needed to be updated together.
Updates fast-xml-parser from 4.4.1 to 5.5.11

Release notes

Sourced from fast-xml-parser's releases.

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present
  • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes pass readonly instance of matcher to the call backs to avoid accidental push/pop call

fix bugs of entity parsing and value parsing

fix: entity expansion limits update strnum package to 2.2.0

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.11 / 2026-04-08

• Performance Improvement
  • integrate ExpressionSet for stopNodes

5.5.10 / 2026-04-03

• increase default entity explansion limit as many projects demand for that
• performance improvement
  • reduce calls to toString
  • early return when entities are not present
  • prepare rawAttrsForMatcher only if user sets jPath: false

5.5.9 / 2026-03-23

• combine typing files

4.5.5 / 2026-03-22

apply fixes from v5 (legacy maintenance branch v4-maintenance)

• support maxEntityCount
• support onDangerousProperty
• support maxNestedTags
• handle prototype pollution
• fix incorrect entity name replacement
• fix incorrect condition for entity expansion

5.5.8 / 2026-03-20

• pass read only matcher in callback

5.5.7 / 2026-03-19

• fix: entity expansion limits
• update strnum package to 2.2.0

5.5.6 / 2026-03-16

• update builder dependency
• fix incorrect regex to replace . in entity name
• fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

• sanitize dangerous tag or attribute name
• error on critical property name
• support onDangerousProperty option

5.5.4 / 2026-03-13

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

... (truncated)

Commits

• See full diff in compare view

Updates @aws-sdk/client-securityhub from 3.751.0 to 3.1029.0

Release notes

Sourced from @​aws-sdk/client-securityhub's releases.

v3.1029.0

3.1029.0(2026-04-10)

New Features

• client-observabilityadmin: CloudWatch Observability Admin adds support for multi-region telemetry evaluation and telemetry enablement rules. (861e172a)
• client-rtbfabric: Adds optional health check configuration for Responder Gateways with ASG Managed Endpoints. When provided, RTB Fabric continuously probes customers' instance IPs and routes traffic only to healthy ones, reducing errors during deployments, scaling events, and instance failures. (3e890437)
• client-ecs: Minor updates to exceptions for completeness (788ab4a6)
• client-devops-agent: Devops Agent now supports associate Splunk, Datadog and custom MCP server to an Agent Space. (44503175)
• client-mediaconvert: Adds support for MV-HEVC video output and clear lead for AV1 DRM output. (812d3dad)
• client-imagebuilder: Image pipelines can now automatically apply tags to images they create. Set the imageTags property when creating or updating your pipelines to get started. (5eb366f5)
• client-sagemaker: Support new SageMaker StartClusterHealthCheck API for on-demand DHC on Hyperpod EKS cluster. Support updated CreateCluster, UpdateCluster, DescribeCluster, BatchAddClusterNodes APIs for flexible instance group on HyperPod cluster (dfcde032)
• client-connect: Conversational Analytics for Email (fd2820f8)

---

For list of updated packages, view updated-packages.md in assets-3.1029.0.zip

v3.1028.0

3.1028.0(2026-04-09)

Chores

• codegen: bump codegen version to 0.48.0 (#7924) (037593a7)

New Features

• client-bcm-dashboards: Scheduled email reports of Billing and Cost Management Dashboards (5e7231a1)
• client-mediaconnect: Adds support for MediaLive Channel-type Router Inputs. (858c746d)
• client-bedrock-agentcore: Introducing support for SearchRegistryRecords API on AgentCoreRegistry (6ac1ecc5)
• client-sagemaker: Release support for g7e instance types for SageMaker HyperPod (c92e9e66)
• client-bedrock-agentcore-control: Initial release for CRUDL in AgentCore Registry Service (ec576322)
• client-redshift-data: The BatchExecuteStatement API now supports named SQL parameters, enabling secure batch queries with parameterized values. This enhancement helps prevent SQL injection vulnerabilities and improves query reusability. (de8f2afb)

---

For list of updated packages, view updated-packages.md in assets-3.1028.0.zip

v3.1027.0

3.1027.0(2026-04-08)

New Features

• clients: update client endpoints as of 2026-04-08 (88eb6682)
• client-outposts: Add AWS Outposts APIs to view renewal pricing options and submit renewal requests for Outpost contracts (ba6c2a7e)
• client-ecr: Add UnableToListUpstreamImageReferrersException in ListImageReferrers (459df0bc)
• client-backup: Adding EKS specific backup vault notification types for AWS Backup. (c5badfde)
• client-marketplace-discovery: AWS Marketplace Discovery API provides an interface that enables programmatic access to the AWS Marketplace catalog, including searching and browsing listings, retrieving product details and fulfillment options, and accessing public and private offer pricing and terms. (1523d996)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-securityhub's changelog.

3.1029.0 (2026-04-10)

Note: Version bump only for package @​aws-sdk/client-securityhub

3.1028.0 (2026-04-09)

Note: Version bump only for package @​aws-sdk/client-securityhub

3.1027.0 (2026-04-08)

Note: Version bump only for package @​aws-sdk/client-securityhub

3.1026.0 (2026-04-07)

Note: Version bump only for package @​aws-sdk/client-securityhub

3.1025.0 (2026-04-06)

Note: Version bump only for package @​aws-sdk/client-securityhub

3.1024.0 (2026-04-03)

Note: Version bump only for package @​aws-sdk/client-securityhub

3.1023.0 (2026-04-02)

... (truncated)

Commits

• 5d5aaed Publish v3.1029.0
• edca62d Publish v3.1028.0
• 690d8d4 Publish v3.1027.0
• 67ea2f7 Publish v3.1026.0
• b19357a chore(codegen): update for sparse types and retry 2.1 updates (#7916)
• 8cfa946 Publish v3.1025.0
• 99bf9fc Publish v3.1024.0
• 34e7b07 Publish v3.1023.0
• e7e636a Publish v3.1022.0
• 86db170 Publish v3.1021.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.