Skip to content

Commit 715a5a2

Browse files
authored
fix: resolve high-severity npm audit vulnerabilities (#1184)
* fix: resolve high-severity npm audit vulnerabilities Run npm audit fix to address: - fast-xml-builder: attribute value quote bypass (high) - fast-uri: path traversal via percent-encoded dot segments (high, prod dep) - uuid: missing buffer bounds check (moderate) Remaining moderate vulnerabilities are in @aws-sdk transitive deps (fast-xml-parser < 5.7.0) which require upstream SDK updates. * fix: remove stale fast-xml-parser and @aws-sdk/xml-builder overrides Both override conditions are now met by upstream: - @aws-sdk/xml-builder@3.972.22 pins fast-xml-parser@5.7.2 - @aws-sdk/core@3.974.8 requires @aws-sdk/xml-builder ^3.972.22 Removing the overrides allows the natural resolution to pick up the patched versions, clearing the remaining moderate advisory (GHSA-gh4j-gqv2-49f6, fast-xml-parser < 5.7.0). security:audit now reports 0 vulnerabilities (--omit=dev).
1 parent 7bf41dd commit 715a5a2

2 files changed

Lines changed: 66 additions & 40 deletions

File tree

package-lock.json

Lines changed: 66 additions & 36 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -149,14 +149,10 @@
149149
},
150150
"overridesComments": {
151151
"minimatch": "GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74: minimatch 10.0.0-10.2.2 has ReDoS vulnerabilities. Multiple transitive deps (eslint, typescript-eslint, eslint-plugin-import, eslint-plugin-react, prettier-plugin-sort-imports, aws-cdk-lib) pin older versions. Remove this override once upstream packages update their minimatch dependency to >=10.2.3.",
152-
"fast-xml-parser": "GHSA-8gc5-j5rx-235r, GHSA-jp2q-39xq-3w4g: fast-xml-parser <=5.5.6 has entity expansion bypass (CVE-2026-33036, CVE-2026-33349). Transitive via @aws-sdk/xml-builder. Remove once @aws-sdk updates to fast-xml-parser >=5.5.7.",
153-
"@aws-sdk/xml-builder": "aws/aws-sdk-js-v3#7867: @aws-sdk/xml-builder <3.972.14 does not configure maxTotalExpansions on fast-xml-parser, causing 'Entity expansion limit exceeded' on large CloudFormation responses. Remove once @aws-sdk/client-* deps are bumped past 3.972.14.",
154152
"glob": "glob <12 is deprecated and emits npm install warnings (https://github.com/isaacs/node-glob). Pulled in transitively via archiver-utils@5.0.2 (latest), which still pins glob@^10.0.0. archiver-utils only uses glob.sync(pattern, options), which remains compatible in glob@13. Remove this override once archiver-utils updates its glob dependency."
155153
},
156154
"overrides": {
157155
"minimatch": "10.2.4",
158-
"fast-xml-parser": "5.5.7",
159-
"@aws-sdk/xml-builder": "3.972.15",
160156
"glob": "^13.0.0"
161157
},
162158
"engines": {

0 commit comments

Comments
 (0)