Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fast-xml-parser dependency has a vulnerability #6327

Closed
3 tasks done
Jish2 opened this issue Jul 29, 2024 · 3 comments · Fixed by #6330
Closed
3 tasks done

fast-xml-parser dependency has a vulnerability #6327

Jish2 opened this issue Jul 29, 2024 · 3 comments · Fixed by #6330
Labels
feature-request New feature or enhancement. May require GitHub community feedback. p1 This is a high priority issue queued This issues is on the AWS team's backlog

Comments

@Jish2
Copy link

Jish2 commented Jul 29, 2024

Checkboxes for prior research

Describe the bug

$ yarn audit --groups dependencies
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ fast-xml-parser vulnerable to ReDOS at currency parsing      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fast-xml-parser                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=4.4.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @aws-sdk/client-lambda                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @aws-sdk/client-lambda > @aws-sdk/core > fast-xml-parser     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098305                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

SDK version number

@aws-sdk/[email protected]

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

all

Reproduction Steps

Run npm audit

Observed Behavior

vulnerability present

Expected Behavior

no vulnerability present

Possible Solution

bump fast-xml-parser to patched version 4.4.1

Additional Information/Context

https://www.npmjs.com/advisories/1098305
@Jish2 Jish2 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 29, 2024
@knixeur
Copy link

knixeur commented Jul 29, 2024
edited
Loading

Fixed ( or will be 😄 ) by #6326

@trivikr trivikr added queued This issues is on the AWS team's backlog p1 This is a high priority issue feature-request New feature or enhancement. May require GitHub community feedback. and removed needs-triage This issue or PR still needs to be triaged. bug This issue is a bug. labels Jul 29, 2024
This was referenced Jul 29, 2024
Merged
Merged
@purplepenguin42 purplepenguin42 mentioned this issue Jul 29, 2024
Closed
3 tasks
@trivikr
Copy link
Member

trivikr commented Jul 30, 2024

The new version https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.621.0 with updated version of fast-xml-parser is expected to release around 12:30 PM Pacific today (Tue, July 30th)

@github-actions GitHub Actions
Copy link

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature-request New feature or enhancement. May require GitHub community feedback. p1 This is a high priority issue queued This issues is on the AWS team's backlog
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deps): bump fast-xml-parser from 4.2.5 to 4.4.1 trivikr/aws-sdk-js-v3
3 participants
@knixeur @trivikr @Jish2