Bump Dependency On xml2js to Prevent Prototype Pollution

[Kurt-von-Laven]

Package Version: 2.6.4

• nodejs
  • nodejs version: All
  • os name/version: All
• browser
  • name/version: All

Describe the bug
xml2js <= 0.4.23 contains a recently disclosed high severity security vulnerability. No patched version is available, and xml2js has not seen a release since 2019. The issue in xml2js is Leonidas-from-XIV/node-xml2js#663.

To Reproduce
Steps to reproduce the behavior:

1. Add a dependency on @azure/ms-rest-js.
2. Run yarn npm audit --all --recursive, or the equivalent command in your chosen package manager.

Expected behavior
No security vulnerabilities are detected.

Additional context
I suspect other @azure packages also depend on xml2js.

[Kurt-von-Laven]

xml2js 0.5.0 has been released, and the upstream issue has been closed as fixed, so a bump is probably all that is needed.

[jeremymeng]

v2.6.6 has been release with the fix from PR #481