Skip to content

Upgrade aws-cdk-lib to 2.253.1 for security vulnerabilities#6913

Merged
dlvenable merged 1 commit into
opensearch-project:mainfrom
Davidding4718:fix/upgrade-cdk-lib-security-vulnerabilities
Jun 11, 2026
Merged

Upgrade aws-cdk-lib to 2.253.1 for security vulnerabilities#6913
dlvenable merged 1 commit into
opensearch-project:mainfrom
Davidding4718:fix/upgrade-cdk-lib-security-vulnerabilities

Conversation

@Davidding4718

@Davidding4718 Davidding4718 commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Description

Upgrade aws-cdk-lib from 2.248.0/2.247.0 to 2.253.1 in both release/staging-resources-cdk and testing/aws-testing-cdk to address transitive dependency vulnerabilities.

Vulnerabilities Addressed

CVE Severity Dependency Details
CVE-2026-6322 High (7.5) fast-uri Host confusion via percent-encoded authority delimiters
CVE-2026-6321 High (7.5) fast-uri Path traversal via percent-encoded dot segments
CVE-2026-45149 Medium (6.5) brace-expansion DoS via large numeric ranges bypassing max limit

Issues Resolved

Resolves #6903

Check List

  • New functionality includes testing.
  • New functionality has a documentation issue. Please link to it in this PR.
    • New functionality has javadoc added
  • Commits are signed with a real name per the DCO

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@Davidding4718
Upgrade aws-cdk-lib to 2.253.1 for security vulnerabilities
524b208 
Signed-off-by: Siqi Ding <dingdd@amazon.com>
@dlvenable dlvenable merged commit 726b5d3 into opensearch-project:main Jun 11, 2026
72 of 74 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dlvenable dlvenable dlvenable approved these changes

@oeyh oeyh oeyh approved these changes

@divbok divbok Awaiting requested review from divbok divbok is a code owner

@sb2k16 sb2k16 Awaiting requested review from sb2k16 sb2k16 is a code owner

@san81 san81 Awaiting requested review from san81 san81 is a code owner

@srikanthjg srikanthjg Awaiting requested review from srikanthjg srikanthjg is a code owner

@graytaylor0 graytaylor0 Awaiting requested review from graytaylor0 graytaylor0 is a code owner

@dinujoh dinujoh Awaiting requested review from dinujoh dinujoh is a code owner

@kkondaka kkondaka Awaiting requested review from kkondaka kkondaka is a code owner

@srikanthpadakanti srikanthpadakanti Awaiting requested review from srikanthpadakanti srikanthpadakanti is a code owner

@KarstenSchnitter KarstenSchnitter Awaiting requested review from KarstenSchnitter KarstenSchnitter is a code owner

@Zhangxunmt Zhangxunmt Awaiting requested review from Zhangxunmt Zhangxunmt is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws-cdk-lib-2.248.0.tgz: 3 vulnerabilities (highest severity is: 7.5)

3 participants

@Davidding4718 @dlvenable @oeyh