fix(deps): patch aws-sdk xml-builder for fast-xml-parser 5.7 compat

seven332 · claude · seven332 · commit 21851ba77cb1 · 2026-04-23T11:25:56.000+08:00
fast-xml-parser 5.7.0 made parser.addEntity("#...") a hard error (CHANGELOG: "you cant add numeric external entity"). @aws-sdk/xml-builder@3.972.18 still calls parser.addEntity("#xD", "\r") and addEntity("#10", "\n") as a legacy fallback for S3/STS XML responses containing &#xD; / &#10; character refs. Our fast-xml-parser override to >=5.7.0 (for GHSA-gh4j-gqv2-49f6) therefore caused every S3 ListObjectsV2 / STS GetCallerIdentity call to throw "Invalid character '#' in entity name: '#xD'" during XML deserialization, surfacing as 500s from agent delete in e2e ser-t05-zero-agent.bats. Patch drops both addEntity lines. fast-xml-parser 5.7.x decodes &#xD; and &#10; internally (CHANGELOG 5.6.0: "fix: entity replacement for numeric entities"), so the fallback is functionally redundant. Refs: - aws/aws-sdk-js-v3#7949 - aws-amplify/amplify-backend#3172 - Upstream replacement PR aws/aws-sdk-js-v3#7863 (still open) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/turbo/package.json b/turbo/package.json
@@ -69,6 +69,9 @@
       "smol-toml": ">=1.6.1",
       "@opentelemetry/instrumentation": ">=0.213.0",
       "zod": "4.3.6"
+    },
+    "patchedDependencies": {
+      "@aws-sdk/xml-builder@3.972.18": "patches/@aws-sdk__xml-builder@3.972.18.patch"
     }
   },
   "packageManager": "pnpm@10.15.0",
diff --git a/turbo/patches/@aws-sdk__xml-builder@3.972.18.patch b/turbo/patches/@aws-sdk__xml-builder@3.972.18.patch
@@ -0,0 +1,26 @@
+diff --git a/dist-cjs/xml-parser.js b/dist-cjs/xml-parser.js
+index 31499ae6d0d8319b58891fa870744493503c805b..d21356d4b862b461c6d82c9e154161974c23d56c 100644
+--- a/dist-cjs/xml-parser.js
++++ b/dist-cjs/xml-parser.js
+@@ -16,8 +16,6 @@ const parser = new fast_xml_parser_1.XMLParser({
+     tagValueProcessor: (_, val) => (val.trim() === "" && val.includes("\n") ? "" : undefined),
+     maxNestedTags: Infinity,
+ });
+-parser.addEntity("#xD", "\r");
+-parser.addEntity("#10", "\n");
+ function parseXML(xmlString) {
+     return parser.parse(xmlString, true);
+ }
+diff --git a/dist-es/xml-parser.js b/dist-es/xml-parser.js
+index 9bd0f4ba572f221544c4c692092bd128bb57f9f0..9bb8d52f29bc921a05174561e861044218bf8ec1 100644
+--- a/dist-es/xml-parser.js
++++ b/dist-es/xml-parser.js
+@@ -13,8 +13,6 @@ const parser = new XMLParser({
+     tagValueProcessor: (_, val) => (val.trim() === "" && val.includes("\n") ? "" : undefined),
+     maxNestedTags: Infinity,
+ });
+-parser.addEntity("#xD", "\r");
+-parser.addEntity("#10", "\n");
+ export function parseXML(xmlString) {
+     return parser.parse(xmlString, true);
+ }
diff --git a/turbo/pnpm-lock.yaml b/turbo/pnpm-lock.yaml
