UPDATE `fast-xml-parser` to fix `CVE-2026-25128`

[thienscmon]

Audit Report:

fast-xml-parser  4.3.6 - 5.3.3
Severity: high
fast-xml-parser has RangeError DoS Numeric Entities Bug - https://github.com/advisories/GHSA-37qj-frw5-hhjh
fix available via `npm audit fix --force`
Will install firebase-admin@12.7.0, which is a breaking change
node_modules/fast-xml-parser
  @google-cloud/storage  >=7.12.1
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@google-cloud/storage
    firebase-admin  >=13.0.0
    Depends on vulnerable versions of @google-cloud/storage
    node_modules/firebase-admin

[lahirumaramba]

Hey @thienscmon, thanks for submitting this issue. Unfortunately, we can't simply just upgrade the cloud storage dependency as the latest version of @google-cloud/storage bumped the typescript version, which we consider as a breaking change. We are currently looking into this.

One option is to go ahead and include the typescript upgrade in a minor version bump of Firebase Admin Node.js, which I think is a reasonable step to address a vulnerability. We will use this issue for any updates.