chore: update Bedrock and Vertex dependencies for security

[lokinhh]

Summary

• Updated Bedrock AWS SDK dependencies

  • Upgraded @aws-sdk/client-bedrock-runtime and @aws-sdk/credential-providers in the Bedrock SDK to recent 3.1023.0 (and related @aws-sdk/* / @smithy/* transitive dependencies).
  • Ensures the Bedrock SDK is aligned with the latest AWS SDK v3 patches, including security and stability fixes in the HTTP stack, retry middleware, and endpoint resolution.

• Pinned and upgraded fast-xml-parser in the Bedrock SDK

  • Added an explicit fast-xml-parser dependency to packages/bedrock-sdk/package.json.
  • Upgraded fast-xml-parser to 5.5.8, which is not affected by the CVEs reported by Trivy for 4.4.1.
  • Regenerated packages/bedrock-sdk/yarn.lock so that XML parsing now relies on a non‑vulnerable version.

• Upgraded auth-related dependencies in the Vertex SDK

  • Upgraded google-auth-library in the Vertex SDK to 9.15.1, pulling in newer transitive dependencies for HTTP, token handling, and JWT signing.
  • Upgraded jws to 4.0.1 to address the advisory about improper signature verification in the HS256 algorithm.
  • Regenerated packages/vertex-sdk/yarn.lock to reflect the new google-auth-library/jws versions and their transitive tree.

• Verified security posture with Trivy

  • Ran trivy fs . against the whole repository.
  • Confirmed that all yarn.lock files (root, aws-sdk, bedrock-sdk, foundry-sdk, vertex-sdk) now report 0 vulnerabilities.
  • Remaining Trivy output is limited to non-blocking parser warnings about tsc-multi being installed from a GitHub tarball, not security issues in the runtime dependencies.

Testing

• yarn
• yarn build
• trivy fs .