chore(web): bump @aws-sdk/credential-providers to ^3.1036.0 (CVE-2026-41650)

[brendan-kellam]

Fixes SOU-982

Summary

• Bumps @aws-sdk/credential-providers from ^3.1023.0 → ^3.1036.0, which transitively pulls @aws-sdk/xml-builder@3.972.19 → fast-xml-parser@5.7.1, resolving CVE-2026-41650 / GHSA-gh4j-gqv2-49f6.
• Single copy of fast-xml-parser in the resolved tree, at the patched 5.7.1.

Why the upstream bump over a resolution override

The CVE affects fast-xml-parser's XMLBuilder comment/CDATA serialization. The AWS SDK only uses XMLParser, so the vulnerable code path is not reachable in this tree regardless. Given that, the deciding factor is which remediation leaves less mess behind:

• A resolutions: { "fast-xml-parser": "^5.7.0" } entry would be ~30 lockfile lines but adds a permanent override that bypasses AWS SDK's own dependency ranges and needs periodic auditing.
• This bump takes the fix through the upstream mechanism with no lingering override. Larger lockfile diff (entire AWS SDK family churn: 56 added / 53 removed) but only one manifest line changes.

Test plan

• yarn install results in a single fast-xml-parser@5.7.1 in the tree
• yarn build passes
• yarn test passes

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Updated credential provider dependency to latest version.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0aeee2f6-b66b-4ece-9410-8690820bb745

📥 Commits

Reviewing files that changed from the base of the PR and between 9abe2d4 and b4f652d.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• CHANGELOG.md
• packages/web/package.json

---

Walkthrough

Updates @aws-sdk/credential-providers from ^3.1023.0 to ^3.1036.0 in packages/web/package.json and appends a corresponding entry under Unreleased → Fixed in CHANGELOG.md. (23 words)

Changes

Cohort / File(s)	Summary
Dependency Update packages/web/package.json, CHANGELOG.md	Bumps @aws-sdk/credential-providers from ^3.1023.0 to ^3.1036.0 and records the bump in the changelog's Unreleased → Fixed section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• chore(deps): bump transitive dependencies #1092: Previously bumped @aws-sdk/credential-providers to ^3.1023.0 in packages/web/package.json; this PR advances it to ^3.1036.0.

Suggested reviewers

• msukkari

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bkellam/fix-sou-982

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2059
Resolved (non-standard)	33
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.0	MPL-2.0 OR Apache-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (33)

Package	Version	Original	Resolved	Source
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT	Apache-2.0 AND LGPL-3.0-or-later AND MIT	extracted from compound SPDX expression
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT	Apache-2.0 AND LGPL-3.0-or-later AND MIT	extracted from compound SPDX expression
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later	Apache-2.0 AND LGPL-3.0-or-later	extracted from compound SPDX expression
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later	Apache-2.0 AND LGPL-3.0-or-later	extracted from compound SPDX expression
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later	Apache-2.0 AND LGPL-3.0-or-later	extracted from compound SPDX expression
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later	Apache-2.0 AND LGPL-3.0-or-later	extracted from compound SPDX expression
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later	Apache-2.0 AND LGPL-3.0-or-later	extracted from compound SPDX expression
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo aidenybai/react-grab — same maintainer (Aiden Bai, aiden.bai05@gmail.com)
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab — same maintainer (Aiden Bai, aiden.bai05@gmail.com)
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab — same maintainer (Aiden Bai, aiden.bai05@gmail.com)
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	valid SPDX identifier (Functional Source License 1.1 with MIT future license, added in SPDX 3.23)
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	valid SPDX identifier (Functional Source License 1.1 with MIT future license, added in SPDX 3.23)
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	valid SPDX identifier (Functional Source License 1.1 with MIT future license, added in SPDX 3.23)
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	valid SPDX identifier (Functional Source License 1.1 with MIT future license, added in SPDX 3.23)
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	valid SPDX identifier (Functional Source License 1.1 with MIT future license, added in SPDX 3.23)
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	valid SPDX identifier (Functional Source License 1.1 with MIT future license, added in SPDX 3.23)
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	valid SPDX identifier (Functional Source License 1.1 with MIT future license, added in SPDX 3.23)
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	valid SPDX identifier (Functional Source License 1.1 with MIT future license, added in SPDX 3.23)
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	valid SPDX identifier (Functional Source License 1.1 with MIT future license, added in SPDX 3.23)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	GitHub API — repo livebook-dev/codemirror-lang-elixir
dompurify	3.4.0	(MPL-2.0 OR Apache-2.0)	MPL-2.0 OR Apache-2.0	extracted from compound SPDX expression
element-source	0.0.3	UNKNOWN	MIT	GitHub repo aidenybai/react-grab — same maintainer (Aiden Bai, aiden.bai05@gmail.com)
json-schema	0.4.0	(AFL-2.1 OR BSD-3-Clause)	AFL-2.1 OR BSD-3-Clause	extracted from compound SPDX expression
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	GitHub API — repo livebook-dev/lezer-elixir
map-stream	0.1.0	UNKNOWN	MIT	GitHub API — repo dominictarr/map-stream
memorystream	0.3.1	UNKNOWN	MIT	npm registry — licenses field: [{"type":"MIT","url":"http://github.com/JSBizon/node-memorystream/raw/master/LICENSE"}]
pause-stream	0.0.11	MIT,Apache2	MIT OR Apache-2.0	extracted from license array field
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo PostHog/posthog-js — LICENSE file (Apache License 2.0)
type-fest	0.20.2	(MIT OR CC0-1.0)	MIT OR CC0-1.0	extracted from compound SPDX expression
type-fest	0.7.1	(MIT OR CC0-1.0)	MIT OR CC0-1.0	extracted from compound SPDX expression
type-fest	5.3.1	(MIT OR CC0-1.0)	MIT OR CC0-1.0	extracted from compound SPDX expression
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo ogt/valid-url — LICENSE file (MIT)
victory-vendor	36.9.2	MIT AND ISC	MIT AND ISC	extracted from compound SPDX expression