[Security] Update dependency fast-xml-parser to v5.x to address critical finding

[abd-hazeke]

A vulnerability was recently identified in the fast-xml-parser package, which is currently a dependency (or sub-dependency) of eslint-plugin-lwc. We use this plugin within the Salesforce Code Analyzer for scanning LWC/JS components, and this CVE is now appearing in our security audits.

Link for cve: https://nvd.nist.gov/vuln/detail/CVE-2026-25128

[siva-bathula]

We are also facing the same issue, and would love to see a fast resolution. I also see a PR #212 which is intended to fix the same.

[abd-hazeke]

We have now found a Critical finding for fast-xml-parser. Can this be resolved soon
Critical Finding: fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
CVE: https://www.cve.org/CVERecord?id=CVE-2026-25896

Separately we found 2 more vulnerability for the following modules:

1. minimatch - High finding (https://www.cve.org/CVERecord?id=CVE-2026-26996)
2. ajv - High finding (https://www.cve.org/CVERecord?id=CVE-2025-69873)