bump aws-sdk/client-s3 to 3.1045.0

[thedoc31]

Resolves critical CVE-2026-25128 (GHSA-37qj-frw5-hhjh) — a RangeError DoS via malformed numeric entities in fast-xml-parser, affecting versions < 5.3.4.

Description

Bumps @aws-sdk/client-s3 to 3.1045.0, which transitively pulls in @aws-sdk/xml-builder@3.972.22 → fast-xml-parser@5.7.2, resolving the critical vulnerability present in the previously pinned fast-xml-parser@5.2.5.

Related Issue

Resolves CVE-2026-25128 / GHSA-37qj-frw5-hhjh

Motivation and Context

fast-xml-parser@5.2.5 (pulled in via @aws-sdk/xml-builder@3.965.0) contains a critical RangeError Denial-of-Service vulnerability triggered by malformed numeric entities in XML input. An attacker able to supply crafted XML payloads could crash the Node.js process. Upgrading @aws-sdk/client-s3 to 3.1045.0 resolves the full vulnerability chain.

Dependency chain before:

@aws-sdk/client-s3 → @aws-sdk/xml-builder@3.965.0 → fast-xml-parser@5.2.5 ❌

Dependency chain after:

@aws-sdk/client-s3@3.1045.0 → @aws-sdk/xml-builder@3.972.22 → fast-xml-parser@5.7.2 ✅

How Has This Been Tested?

• Verified the resolved dependency tree via npm install --dry-run confirming fast-xml-parser@5.7.2 is installed.
• Confirmed @aws-sdk/xml-builder@3.972.22 ships fast-xml-parser@5.7.2 via npm info.
• Existing test suite passed with no regressions.

Screenshots (if appropriate):

N/A

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have signed the Adobe Open Source CLA.
• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[pru55e11]

LGTM. Validated locally on the patch-1 branch:

• CVE fix confirmed — npm ls fast-xml-parser resolves to 5.7.2, npm audit reports 0 vulnerabilities at any severity.
• No peer-dep drift — @smithy/node-http-handler dedupes to a single 4.7.0 across the entire tree, so the user-supplied NodeHttpHandler(ProxyAgent) in lib/remote-storage.js and the SDK's internal handler are the same module. No additional bump needed.
• Unit tests + lint — 132/132 passing, 100% coverage, eslint clean.
• Real S3 round-trip via Adobe TVM — bundled the e2e/sample-app, called deployWeb → listObjectsV2 → undeployWeb → listObjectsV2 against a real workspace. 5 objects uploaded via putObject, all 5 removed by deleteObjects, post-undeploy KeyCount=0. The new SDK default requestChecksumCalculation: 'WHEN_SUPPORTED' is accepted by TVM-fronted S3 with no issues.
• e2e flake — npm run e2e fails the undeploy test with expected 404, got 200, but that's CDN cache (s-maxage=60 set on deploy, fetch happens ~1.7s later). Direct S3 listing after undeploy is empty, so the SDK is fine. Pre-existing, unrelated.

Approving.