Upgrade @aws-sdk/* packages to v3.347.1 to address fast-xml-parser snyk finding

[remcotm]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Not applicable

Amplify APIs

Not applicable

Amplify Categories

Not applicable

Environment information

``` # Put output below this line System: OS: macOS 13.4 CPU: (10) arm64 Apple M1 Pro Memory: 204.98 MB / 32.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 18.12.0 - /usr/local/bin/node Yarn: 1.22.19 - /usr/local/bin/yarn npm: 8.19.2 - /usr/local/bin/npm Browsers: Chrome: 113.0.5672.126 Firefox: 112.0.1 Safari: 16.5 npmPackages: @apollo/client: ^3.7.14 => 3.7.14 @apollo/client/cache: undefined () @apollo/client/core: undefined () @apollo/client/errors: undefined () @apollo/client/link/batch: undefined () @apollo/client/link/batch-http: undefined () @apollo/client/link/context: undefined () @apollo/client/link/core: undefined () @apollo/client/link/error: undefined () @apollo/client/link/http: undefined () @apollo/client/link/persisted-queries: undefined () @apollo/client/link/retry: undefined () @apollo/client/link/schema: undefined () @apollo/client/link/subscriptions: undefined () @apollo/client/link/utils: undefined () @apollo/client/link/ws: undefined () @apollo/client/react: undefined () @apollo/client/react/components: undefined () @apollo/client/react/context: undefined () @apollo/client/react/hoc: undefined () @apollo/client/react/hooks: undefined () @apollo/client/react/parser: undefined () @apollo/client/react/ssr: undefined () @apollo/client/testing: undefined () @apollo/client/testing/core: undefined () @apollo/client/utilities: undefined () @apollo/client/utilities/globals: undefined () @cubejs-client/core: ^0.31.15 => 0.31.63 @cubejs-client/react: ^0.31.15 => 0.31.63 @emotion/react: ^11.10.5 => 11.10.5 @emotion/styled: ^11.10.5 => 11.10.5 @fontsource/roboto: ^4.5.8 => 4.5.8 @mui/icons-material: ^5.11.0 => 5.11.0 @mui/material: ^5.11.8 => 5.11.8 @tanstack/react-location: ^3.7.4 => 3.7.4 @tanstack/react-router: ^0.0.1-beta.82 => 0.0.1-beta.82 @testing-library/jest-dom: ^5.14.1 => 5.16.5 @testing-library/react: ^13.0.0 => 13.4.0 @testing-library/user-event: ^13.2.1 => 13.5.0 @types/d3-scale-chromatic: ^3.0.0 => 3.0.0 @types/jest: ^27.0.1 => 27.5.2 @types/node: ^16.7.13 => 16.18.12 (18.13.0) @types/react: ^18.0.0 => 18.0.28 @types/react-dom: ^18.0.0 => 18.0.10 amazon-cognito-identity-js: ^6.2.0 => 6.2.0 aws-amplify: ^5.2.5 => 5.2.5 d3-scale: ^4.0.2 => 4.0.2 d3-scale-chromatic: ^3.0.0 => 3.0.0 graphql: ^16.6.0 => 16.6.0 (15.8.0) i18n-iso-countries: ^7.6.0 => 7.6.0 jest-junit: ^15.0.0 => 15.0.0 qrcode.react: ^3.1.0 => 3.1.0 react: ^18.2.0 => 18.2.0 react-countup: ^6.4.1 => 6.4.1 react-dom: ^18.2.0 => 18.2.0 react-jss: ^10.10.0 => 10.10.0 react-qr-code: ^2.0.11 => 2.0.11 react-query: ^3.39.3 => 3.39.3 react-scripts: 5.0.1 => 5.0.1 recharts: ^2.4.2 => 2.4.2 typescript: ^4.4.2 => 4.9.5 web-vitals: ^2.1.0 => 2.1.4 npmGlobalPackages: @angular/cli: 15.0.0 corepack: 0.14.2 npm: 8.19.2 serverless: 3.25.1 webpack-cli: 5.0.0 webpack: 5.75.0 yarn: 1.22.19 ```

Describe the bug

Snyk finds the following vulnerability: https://security.snyk.io/vuln/SNYK-JS-FASTXMLPARSER-5668858

It is introduced through the following paths:

yarn why v1.22.19
[1/4] 🤔  Why do we have the module "fast-xml-parser"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "fast-xml-parser@4.1.3"
info Reasons this module exists
   - "aws-amplify#@aws-amplify#storage#@aws-sdk#client-s3" depends on it
   - Hoisted from "aws-amplify#@aws-amplify#storage#@aws-sdk#client-s3#fast-xml-parser"
   - Hoisted from "aws-amplify#@aws-amplify#interactions#@aws-sdk#client-lex-runtime-service#@aws-sdk#client-sts#fast-xml-parser"
info Disk size without dependencies: "160KB"
info Disk size with unique dependencies: "196KB"
info Disk size with transitive dependencies: "196KB"
info Number of shared dependencies: 1
✨  Done in 0.29s.

A version without the vulnerability seems to have been released to @aws-sdk/* packages at v3.347.1 (https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.347.1)

Currently some of the dependencies introduced by installing aws-amplify introduce @aws-sdk packages below the version with the fix.

Expected behavior

aws-amplify uses fast-xml-parser version 4.2.4 or higher.

Reproduction steps

1. yarn add aws-amplify
2. yarn audit

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

@remcotm we appreciate you for opening this issue. This is currently being investigated and we will provide an update soon.

[ckhicks]

To add weight to this, I've been battling these vulnerabilities with aws-amplify v5.2.5 as well:

fast-xml-parser  <4.2.4
Severity: high
fix available via `npm audit fix --force`
Will install aws-amplify@2.3.0, which is a breaking change

Appreciate your work!

[cwomack]

Updating everyone following this issue that PR #11489 is in the works to address this.

[stocaaro]

The PR to fix this has been released and we have verified that the alert does not appear using the newly released version of the library.