From 485e011126108e2dd9206d895eab83c8056bc7c1 Mon Sep 17 00:00:00 2001 From: Niranjan Jayakar Date: Tue, 30 Mar 2021 12:56:07 +0100 Subject: [PATCH 1/4] chore: upgrade to netmask@2 (#13874) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit netmask@1 is affected by CVE-2021-28918 https://github.com/advisories/GHSA-pch5-whg9-qr2r netmask is a depdendency to the CDK via aws-cdk → proxy-agent@4.0.1 → pac-proxy-agent@4.1.0 → pac-resolver@4.1.0 → netmask@1.0.6 None of these dependencies have upgraded to netmask@2 as yet. Use yarn's [selective dependency resolution], to explicitly pick netmask@2. This upgrades yarn.lock and the CLI's npm-shrinkwrap.json. With this fix, npm customers will no longer depend on netmask@2 transitively via the CDK. For yarn customers, there is no clean resolution since yarn does not respective the the 'resolutions' key in dependencies' package.json and does not respect the shrinkwrap. The init templates now ship the 'resolutions' key so that new customers using yarn will be unaffected. A different solution has to be devised for existing customers on yarn. [selective dependency resolution]: https://classic.yarnpkg.com/en/docs/selective-version-resolutions/ ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- package.json | 4 +++- .../v1/app/javascript/package.template.json | 3 +++ .../v1/app/typescript/package.template.json | 3 +++ .../v1/lib/typescript/package.template.json | 3 +++ .../v1/sample-app/javascript/package.template.json | 3 +++ .../v1/sample-app/typescript/package.template.json | 3 +++ .../v2/app/javascript/package.template.json | 3 +++ .../v2/app/typescript/package.template.json | 3 +++ .../v2/lib/typescript/package.template.json | 3 +++ .../v2/sample-app/javascript/package.template.json | 3 +++ .../v2/sample-app/typescript/package.template.json | 3 +++ yarn.lock | 8 ++++---- 12 files changed, 37 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 6dad27d90e51f..d4e3ecd04c1c1 100644 --- a/package.json +++ b/package.json @@ -25,8 +25,10 @@ "standard-version": "^9.1.1", "typescript": "~3.9.9" }, - "resolutions-comment": "should be removed or reviewed when nodeunit dependency is dropped or adjusted", + "netmask-resolutions-comment": "transitive dep from proxy-agent@4.0.1. review when dependencies upgrade", + "tap-mocha-reporter-resolutions-comment": "should be removed or reviewed when nodeunit dependency is dropped or adjusted", "resolutions": { + "netmask": "2.0.1", "tap-mocha-reporter": "^5.0.1" }, "repository": { diff --git a/packages/aws-cdk/lib/init-templates/v1/app/javascript/package.template.json b/packages/aws-cdk/lib/init-templates/v1/app/javascript/package.template.json index 5547dacf3a673..94fa701483337 100644 --- a/packages/aws-cdk/lib/init-templates/v1/app/javascript/package.template.json +++ b/packages/aws-cdk/lib/init-templates/v1/app/javascript/package.template.json @@ -16,5 +16,8 @@ }, "dependencies": { "@aws-cdk/core": "%cdk-version%" + }, + "resolutions": { + "netmask": "2.0.1" } } diff --git a/packages/aws-cdk/lib/init-templates/v1/app/typescript/package.template.json b/packages/aws-cdk/lib/init-templates/v1/app/typescript/package.template.json index df89ae6a206bb..2ae2ecf430317 100644 --- a/packages/aws-cdk/lib/init-templates/v1/app/typescript/package.template.json +++ b/packages/aws-cdk/lib/init-templates/v1/app/typescript/package.template.json @@ -23,5 +23,8 @@ "dependencies": { "@aws-cdk/core": "%cdk-version%", "source-map-support": "^0.5.16" + }, + "resolutions": { + "netmask": "2.0.1" } } diff --git a/packages/aws-cdk/lib/init-templates/v1/lib/typescript/package.template.json b/packages/aws-cdk/lib/init-templates/v1/lib/typescript/package.template.json index 8d9ef219c74ca..04f72fb1387c1 100644 --- a/packages/aws-cdk/lib/init-templates/v1/lib/typescript/package.template.json +++ b/packages/aws-cdk/lib/init-templates/v1/lib/typescript/package.template.json @@ -21,5 +21,8 @@ }, "dependencies": { "@aws-cdk/core": "%cdk-version%" + }, + "resolutions": { + "netmask": "2.0.1" } } diff --git a/packages/aws-cdk/lib/init-templates/v1/sample-app/javascript/package.template.json b/packages/aws-cdk/lib/init-templates/v1/sample-app/javascript/package.template.json index 7594be2ffb151..bf83cd9b9b0af 100644 --- a/packages/aws-cdk/lib/init-templates/v1/sample-app/javascript/package.template.json +++ b/packages/aws-cdk/lib/init-templates/v1/sample-app/javascript/package.template.json @@ -19,5 +19,8 @@ "@aws-cdk/aws-sns-subscriptions": "%cdk-version%", "@aws-cdk/aws-sqs": "%cdk-version%", "@aws-cdk/core": "%cdk-version%" + }, + "resolutions": { + "netmask": "2.0.1" } } diff --git a/packages/aws-cdk/lib/init-templates/v1/sample-app/typescript/package.template.json b/packages/aws-cdk/lib/init-templates/v1/sample-app/typescript/package.template.json index 98942aa31c167..558e796efb50a 100644 --- a/packages/aws-cdk/lib/init-templates/v1/sample-app/typescript/package.template.json +++ b/packages/aws-cdk/lib/init-templates/v1/sample-app/typescript/package.template.json @@ -25,5 +25,8 @@ "@aws-cdk/aws-sns-subscriptions": "%cdk-version%", "@aws-cdk/aws-sqs": "%cdk-version%", "@aws-cdk/core": "%cdk-version%" + }, + "resolutions": { + "netmask": "2.0.1" } } diff --git a/packages/aws-cdk/lib/init-templates/v2/app/javascript/package.template.json b/packages/aws-cdk/lib/init-templates/v2/app/javascript/package.template.json index 165f100d82429..d93d6ce796824 100644 --- a/packages/aws-cdk/lib/init-templates/v2/app/javascript/package.template.json +++ b/packages/aws-cdk/lib/init-templates/v2/app/javascript/package.template.json @@ -16,5 +16,8 @@ "dependencies": { "aws-cdk-lib": "%cdk-version%", "constructs": "^3.0.4" + }, + "resolutions": { + "netmask": "2.0.1" } } diff --git a/packages/aws-cdk/lib/init-templates/v2/app/typescript/package.template.json b/packages/aws-cdk/lib/init-templates/v2/app/typescript/package.template.json index c71e1aea5f5ae..363b3c58c9984 100644 --- a/packages/aws-cdk/lib/init-templates/v2/app/typescript/package.template.json +++ b/packages/aws-cdk/lib/init-templates/v2/app/typescript/package.template.json @@ -23,5 +23,8 @@ "aws-cdk-lib": "%cdk-version%", "constructs": "^3.0.4", "source-map-support": "^0.5.16" + }, + "resolutions": { + "netmask": "2.0.1" } } diff --git a/packages/aws-cdk/lib/init-templates/v2/lib/typescript/package.template.json b/packages/aws-cdk/lib/init-templates/v2/lib/typescript/package.template.json index f255ef76f1fb9..26ae2f022b3f5 100644 --- a/packages/aws-cdk/lib/init-templates/v2/lib/typescript/package.template.json +++ b/packages/aws-cdk/lib/init-templates/v2/lib/typescript/package.template.json @@ -22,5 +22,8 @@ "dependencies": { "aws-cdk-lib": "%cdk-version%", "constructs": "^3.0.4" + }, + "resolutions": { + "netmask": "2.0.1" } } diff --git a/packages/aws-cdk/lib/init-templates/v2/sample-app/javascript/package.template.json b/packages/aws-cdk/lib/init-templates/v2/sample-app/javascript/package.template.json index 165f100d82429..d93d6ce796824 100644 --- a/packages/aws-cdk/lib/init-templates/v2/sample-app/javascript/package.template.json +++ b/packages/aws-cdk/lib/init-templates/v2/sample-app/javascript/package.template.json @@ -16,5 +16,8 @@ "dependencies": { "aws-cdk-lib": "%cdk-version%", "constructs": "^3.0.4" + }, + "resolutions": { + "netmask": "2.0.1" } } diff --git a/packages/aws-cdk/lib/init-templates/v2/sample-app/typescript/package.template.json b/packages/aws-cdk/lib/init-templates/v2/sample-app/typescript/package.template.json index 4b36fa55ec3ad..707672df12df9 100644 --- a/packages/aws-cdk/lib/init-templates/v2/sample-app/typescript/package.template.json +++ b/packages/aws-cdk/lib/init-templates/v2/sample-app/typescript/package.template.json @@ -22,5 +22,8 @@ "dependencies": { "aws-cdk-lib": "%cdk-version%", "constructs": "^3.0.4" + }, + "resolutions": { + "netmask": "2.0.1" } } diff --git a/yarn.lock b/yarn.lock index 44a1f4e1a85f6..11d022227b7d1 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6909,10 +6909,10 @@ nested-error-stacks@^2.0.0: resolved "https://registry.yarnpkg.com/nested-error-stacks/-/nested-error-stacks-2.1.0.tgz#0fbdcf3e13fe4994781280524f8b96b0cdff9c61" integrity sha512-AO81vsIO1k1sM4Zrd6Hu7regmJN1NSiAja10gc4bX3F0wd+9rQmcuHQaHVQCYIEC8iFXnE+mavh23GOt7wBgug== -netmask@^1.0.6: - version "1.0.6" - resolved "https://registry.yarnpkg.com/netmask/-/netmask-1.0.6.tgz#20297e89d86f6f6400f250d9f4f6b4c1945fcd35" - integrity sha1-ICl+idhvb2QA8lDZ9Pa0wZRfzTU= +netmask@2.0.1, netmask@^1.0.6: + version "2.0.1" + resolved "https://registry.yarnpkg.com/netmask/-/netmask-2.0.1.tgz#5a5cbdcbb7b6de650870e15e83d3e9553a414cf4" + integrity sha512-gB8eG6ubxz67c7O2gaGiyWdRUIbH61q7anjgueDqCC9kvIs/b4CTtCMaQKeJbv1/Y7FT19I4zKwYmjnjInRQsg== nice-try@^1.0.4: version "1.0.5" From 8bc046d9936e5504dc57c16a97bba816935c6956 Mon Sep 17 00:00:00 2001 From: NetaNir Date: Tue, 30 Mar 2021 15:18:30 -0700 Subject: [PATCH 2/4] chore(release): 1.95.2 --- CHANGELOG.md | 2 ++ version.v1.json | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a949e3bfc65a..02350e34bcd33 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +### [1.95.2](https://github.com/aws/aws-cdk/compare/v1.95.1...v1.95.2) (2021-03-30) + ## [1.95.1](https://github.com/aws/aws-cdk/compare/v1.95.0...v1.95.1) (2021-03-25) diff --git a/version.v1.json b/version.v1.json index cf4c9c13cf1bc..80981e652a8d5 100644 --- a/version.v1.json +++ b/version.v1.json @@ -1,3 +1,3 @@ { - "version": "1.95.1" + "version": "1.95.2" } From dc9387938b964b75496c5e1bd0a91cffbcd14c25 Mon Sep 17 00:00:00 2001 From: NetaNir Date: Tue, 30 Mar 2021 15:23:03 -0700 Subject: [PATCH 3/4] changelog --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02350e34bcd33..cd050259cc1d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,10 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. -### [1.95.2](https://github.com/aws/aws-cdk/compare/v1.95.1...v1.95.2) (2021-03-30) +## [1.95.2](https://github.com/aws/aws-cdk/compare/v1.95.1...v1.95.2) (2021-03-30) +* upgrade `netmask` dependency to address [CVE-2021-28918](https://github.com/advisories/GHSA-pch5-whg9-qr2r) + ## [1.95.1](https://github.com/aws/aws-cdk/compare/v1.95.0...v1.95.1) (2021-03-25) From ebb5c7af622ab36f46e58103608dfc025a21691a Mon Sep 17 00:00:00 2001 From: NetaNir Date: Tue, 30 Mar 2021 15:31:27 -0700 Subject: [PATCH 4/4] add commit to changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd050259cc1d6..fdc020ee9a034 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file. See [standa ## [1.95.2](https://github.com/aws/aws-cdk/compare/v1.95.1...v1.95.2) (2021-03-30) -* upgrade `netmask` dependency to address [CVE-2021-28918](https://github.com/advisories/GHSA-pch5-whg9-qr2r) +* upgrade `netmask` dependency to address [CVE-2021-28918](https://github.com/advisories/GHSA-pch5-whg9-qr2r) ([#13874](https://github.com/aws/aws-cdk/pull/13874)) ([08de262](https://github.com/aws/aws-cdk/commit/08de26210e2a0f3a104da4afa42e8478f2d7d171)) ## [1.95.1](https://github.com/aws/aws-cdk/compare/v1.95.0...v1.95.1) (2021-03-25)