aws-cdk: unmaintained transitive dependency with critical vulnerabilities #26417
Labels
bug
This issue is a bug.
dependencies
This issue is a problem in a dependency or a pull request that updates a dependency file.
p1
package/tools
Related to AWS CDK Tools or CLI
SECURITY
Comments
orien
added
bug
|
A fix has been released in proxy-agent v6.3.0. Upgrading aws-cdk/packages/aws-cdk/package.json Line 114 in 357bc01 |
indrora
added
SECURITY
dependencies
|
Thanks for telling us about this. I'm surprised Dependabot didn't tell us about it. tagging @aws/aws-cdk-owners for viz : Dependabot didn't catch this it looks like. |
|
Thanks for the report! I'll get this in for the next release. |
mergify bot
pushed a commit
that referenced
this issue
Jul 20, 2023
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date. Closes #26417
|
bmoffatt
pushed a commit
to bmoffatt/aws-cdk
that referenced
this issue
Jul 29, 2023
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date. Closes aws#26417
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The AWS CDK has a transitive dependency on the
vm2library.aws-cdk→proxy-agent→pac-proxy-agent→pac-resolver→degenerator→vm2This library is no-longer maintained, as noted on the GitHub repository:
https://github.com/patriksimek/vm2#%EF%B8%8F-project-discontinued-%EF%B8%8F
It also has unpatched critical security issues, for example: CVE-2023-37466
Expected Behavior
yarn auditreports no critical vulnerabilities.Current Behavior
yarn auditreports 4 critical vulnerabilities, all on thevm2library.Reproduction Steps
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.87.0
Framework Version
No response
Node.js Version
18
OS
Linux
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: