Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk-lib: unmaintained transitive dependency with critical vulnerabilities #26677

Closed
caseytoomey opened this issue Aug 9, 2023 · 3 comments
Closed

aws-cdk-lib: unmaintained transitive dependency with critical vulnerabilities #26677

caseytoomey opened this issue Aug 9, 2023 · 3 comments
Labels
aws-cdk-lib Related to the aws-cdk-lib package bug This issue is a bug. effort/small Small work item – less than a day of effort needs-review p1

Comments

@caseytoomey
Copy link

Describe the bug

Similar to this issue with aws-cdk: #26417

aws-cdk-lib has a dependency on @aws-cdk/asset-node-proxy-agent-v5, which includes a layer containing vm2. vm2 has critical vulnerabilities and is no longer maintained. This doesn't seem to get picked up by yarn or npm audit.

Not sure if this is the best spot for this issue but I wasn't able to directly create an issue for @aws-cdk/asset-node-proxy-agent-v5 on GitHub.

Expected Behavior

No usage of proxy-agent v5 / vm2.

Current Behavior

proxy-agent v5 is used which has reliance on the vulnerable vm2 package.

Reproduction Steps

n/a

Possible Solution

Update the asset to use proxy agent 6.3.0

Additional Information/Context

No response

CDK CLI Version

2.90.0

Framework Version

No response

Node.js Version

18

OS

Linux

Language

Typescript

Language Version

No response

Other information

No response
@caseytoomey caseytoomey added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 9, 2023
@github-actions github-actions bot added the aws-cdk-lib Related to the aws-cdk-lib package label Aug 9, 2023
@peterwoodworth peterwoodworth added p1 effort/small Small work item – less than a day of effort needs-review and removed needs-triage This issue or PR still needs to be triaged. labels Aug 9, 2023
@haydster7
Copy link

haydster7 commented Aug 14, 2023
edited
Loading

Would be fixed by updating dependency to new release (3 days ago) node-proxy-agent-v6v2.0.1

@rix0rrr
Copy link
Contributor

rix0rrr commented Aug 14, 2023

Fixed by #26722

@rix0rrr rix0rrr closed this as completed Aug 14, 2023
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Sep 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws-cdk-lib Related to the aws-cdk-lib package bug This issue is a bug. effort/small Small work item – less than a day of effort needs-review p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rix0rrr @haydster7 @peterwoodworth @caseytoomey