-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-cdk: unmaintained transitive dependency with critical vulnerabilities #26417
Comments
A fix has been released in proxy-agent v6.3.0. Upgrading aws-cdk/packages/aws-cdk/package.json Line 114 in 357bc01
|
Thanks for telling us about this. I'm surprised Dependabot didn't tell us about it. tagging @aws/aws-cdk-owners for viz : Dependabot didn't catch this it looks like. |
Thanks for the report! I'll get this in for the next release. |
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date. Closes #26417
|
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date. Closes aws#26417
Describe the bug
The AWS CDK has a transitive dependency on the
vm2
library.aws-cdk
→proxy-agent
→pac-proxy-agent
→pac-resolver
→degenerator
→vm2
This library is no-longer maintained, as noted on the GitHub repository:
https://github.com/patriksimek/vm2#%EF%B8%8F-project-discontinued-%EF%B8%8F
It also has unpatched critical security issues, for example: CVE-2023-37466
Expected Behavior
yarn audit
reports no critical vulnerabilities.Current Behavior
yarn audit
reports 4 critical vulnerabilities, all on thevm2
library.Reproduction Steps
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.87.0
Framework Version
No response
Node.js Version
18
OS
Linux
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: