Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
deps(dependencies): Address high-severity vulnerabilities by updating…
… dependencies (aws#5511) ## Problem The aws-toolkit-vscode repository has several high-severity vulnerabilities in its dependencies, as identified by the npm audit command. These vulnerabilities, if left unaddressed, could pose a security risk to users of the AWS Toolkit for VS Code extension. The vulnerabilities include: - elliptic package versions 2.0.0 to 6.5.6 have multiple vulnerabilities related to EDDSA, ECDSA, and BER-encoded signatures. - es5-ext package versions 0.10.1 to 0.10.62 are vulnerable to Regular Expression Denial of Service (ReDOS) in the function#copy and function#toStringTokens functions. - fast-xml-parser package versions prior to 4.4.1 are vulnerable to ReDOS at currency parsing. ## Solution To address these high-severity vulnerabilities, this pull request updates the dependencies in the aws-toolkit-vscode repository: - The elliptic package is upgraded from version 6.5.3 to 6.5.4 to address the EDDSA, ECDSA, and BER-encoded signatures vulnerabilities. - The es5-ext package is upgraded from version 0.10.53 to 0.10.62 to address the ReDOS vulnerability in the function#copy and function#toStringTokens functions. - The fast-xml-parser package is upgraded from version 3.19.0 to 4.4.1 to address the ReDOS vulnerability at currency parsing. ## Implementation Details: By updating the following top level dependencies, the underlying transitive dependencies with the vulnerabilities were updated to a safe version: - `@aws-sdk/client-cognito-identity` - `@aws-sdk/client-lambda` --- <!--- REMINDER: Ensure that your PR meets the guidelines in CONTRIBUTING.md --> License: I confirm that my contribution is made under the terms of the Apache 2.0 license. Co-authored-by: Keen Wilson <[email protected]>
- Loading branch information
1 parent
1d17ced
commit 7330f78