fix: bump fast-xml-parser override to 5.5.7 (CVE-2026-33036, CVE-2026-33349)

[Hweinstock]

Description

CI security:audit step fails due to two high-severity CVEs in fast-xml-parser:

• GHSA-8gc5-j5rx-235r (CVE-2026-33036): numeric entity expansion bypasses all entity expansion limits (affects <= 5.5.5)
• GHSA-jp2q-39xq-3w4g (CVE-2026-33349): entity expansion limits bypassed when set to zero due to JavaScript falsy evaluation (affects <= 5.5.6)

The existing npm override pins fast-xml-parser to 5.3.9, which is in the vulnerable range. The override is needed because @aws-sdk/xml-builder hasn't updated its fast-xml-parser dependency yet. Bumps the override from 5.3.9 → 5.5.7 (the patched version). The repo doesn't use fast-xml-parser directly — it's purely a transitive dependency of @aws-sdk/xml-builder. No breaking API changes in the 5.3 → 5.5 range.

Related Issue

N/A — CI security audit failure, no tracking issue.

Documentation PR

N/A

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update
• Other (please describe):

Testing

How have you tested the change?

• I ran npm run test:unit and npm run test:integ
• I ran npm run typecheck
• I ran npm run lint
• If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

npm run security:audit (npm audit --audit-level=high --omit=dev) passes with 0 vulnerabilities.

Checklist

• I have read the CONTRIBUTING document
• I have added any necessary tests that prove my fix is effective or my feature works
• I have updated the documentation accordingly
• I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
• My changes generate no new warnings
• Any dependent changes have been merged and published

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.