diff --git a/.yarnrc.yml b/.yarnrc.yml
index 8c7e7b89b349b5..d91cf2aa7d1521 100644
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@@ -4,10 +4,4 @@ enableGlobalCache: false
 
 nodeLinker: node-modules
 
-# fast-xml-parser 4.4.1 via @boxyhq/saml-jackson → @aws-sdk/core@3.816.0 (transitive).
-# Only parses trusted AWS API responses, not user input. No practical attack vector.
-# Upstream fix pending: ory/polis (saml-jackson) has bumped to @aws-sdk@3.994.0 on main but hasn't released yet.
-npmAuditIgnoreAdvisories:
-  - "1113407"
-
 yarnPath: .yarn/releases/yarn-4.12.0.cjs
diff --git a/package.json b/package.json
index 34930499afd046..fbe6972e66d24f 100644
--- a/package.json
+++ b/package.json
@@ -158,7 +158,8 @@
     "tar": "7.5.7",
     "lodash": "4.17.23",
     "lodash-es": "4.17.23",
-    "@lingo.dev/_compiler/fast-xml-parser": "5.3.5"
+    "@lingo.dev/_compiler/fast-xml-parser": "5.3.5",
+    "fast-xml-parser": "4.5.4"
   },
   "packageExtensions": {
     "ink@3.2.0": {
diff --git a/yarn.lock b/yarn.lock
index beb88899811300..8ab730d1d3c1e8 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -22693,14 +22693,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fast-xml-parser@npm:4.4.1":
-  version: 4.4.1
-  resolution: "fast-xml-parser@npm:4.4.1"
+"fast-xml-parser@npm:4.5.4":
+  version: 4.5.4
+  resolution: "fast-xml-parser@npm:4.5.4"
   dependencies:
     strnum: "npm:^1.0.5"
   bin:
     fxparser: src/cli/cli.js
-  checksum: 10/0c05ab8703630d8c857fafadbd78d0020d3a8e54310c3842179cd4a0d9d97e96d209ce885e91241f4aa9dd8dfc2fd924a682741a423d65153cad34da2032ec44
+  checksum: 10/991f11a15d82be778c3452e5f1109975d66276bb951ba4db87417507da15d0b1c09d15a4e4db15a216cf3315b4325f66ff3b7f9b7557d6a2055103755fb39cce
   languageName: node
   linkType: hard