fast-xml-parser vulnerability in bundled @aws-sdk deps cannot be fixed by consumers via npm overrides

[curtisshaffer]

Summary

@cdklabs/cdk-ecs-codedeploy bundles its own copy of @aws-sdk packages inside
node_modules/@cdklabs/cdk-ecs-codedeploy/node_modules/. These contain a transitive
dependency on a vulnerable version of fast-xml-parser, which npm audit flags as high
severity. Because these are nested (vendored) copies, npm overrides in consuming
projects have no effect.

Vulnerability Chain

fast-xml-parser (GHSA-37qj-frw5-hhjh, GHSA-jmr7-xgp7-cmfj)
└─ @aws-sdk/xml-builder (3.894.0 - 3.972.2)
└─ @aws-sdk/core (3.894.0 - 3.972.0)
└─ @aws-sdk/client-codedeploy (3.894.0 - 3.972.0)
└─ @cdklabs/cdk-ecs-codedeploy ← vendored here, unreachable by overrides

Why overrides don't work

npm overrides can only force resolution of packages at the top-level dependency tree.
When a package vendors its own node_modules, npm treats that subtree as a sealed unit and
overrides in the consumer's package.json cannot penetrate it.

Reproduction

npm audit in any project that depends on @cdklabs/cdk-ecs-codedeploy

Impact

All consuming projects are stuck with a high-severity audit failure until this package
publishes an update. There is no workaround available to consumers.

Suggested Fix

Short-term

Update the vendored @aws-sdk/* packages to >=3.973.0, which pulls in a patched
fast-xml-parser.
Test and Merge #1133 in order to do that.

Long-term (preferred)

The underlying issue is that the @aws-sdk/client-codedeploy SDK client is used inside
a Lambda custom resource, but is being shipped as part of the CDK construct's npm
package dependency tree. The recommended CDK pattern is:

1. Bundle the Lambda handler code as an asset at build time (e.g. using esbuild or
   ncc) — the SDK gets compiled into the Lambda zip, not installed into node_modules
   of the CDK package.
2. Remove @aws-sdk/* from dependencies in the CDK package's package.json. These
   are only needed at Lambda runtime, not by the CDK construct at synth time.

This is how the CDK itself handles custom resource providers (see aws-cdk-lib's
custom-resources module — Lambda handler code is pre-bundled as .js assets, with no
@aws-sdk entries in the CDK package's node_modules).

This approach means:

• Consuming projects' npm audit is no longer affected by the Lambda's runtime deps.
• The Lambda bundle size can be minimized (tree-shaking, single-file output).
• Security patches to the Lambda's SDK deps are released as part of your normal build
  pipeline, not gated on npm publishing a whole new package version just to bump a
  transitive dep.

References

• GHSA-37qj-frw5-hhjh (fast-xml-parser RangeError DoS)
• GHSA-jmr7-xgp7-cmfj (fast-xml-parser DoS via DOCTYPE entity expansion)