Dependency Range Issue in npm audit fix

[musabibnusiraj]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

When running the npm audit fix --force command, the following error is encountered:

fix available via `npm audit fix --force`
Will install @aws-sdk/[email protected], which is outside the stated dependency range
node_modules/fast-xml-parser
  @aws-sdk/client-s3  <=3.6.2 || 3.7.0 - 3.347.0
  Depends on vulnerable versions of @aws-sdk/client-sts
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/client-s3
  @aws-sdk/client-sts  <=3.54.1 || 3.55.0 - 3.186.1 || 3.188.0 - 3.335.0 || 3.337.0 - 3.347.0
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/client-sts
    @aws-sdk/client-secrets-manager  3.12.0 - 3.347.0
    Depends on vulnerable versions of @aws-sdk/client-sts
    node_modules/@aws-sdk/client-secrets-manager

SDK version number

@aws-sdk/client-s3": "^3.353.0
@aws-sdk/client-secrets-manager": "^3.353.0
@aws-sdk/s3-request-presigner": "^3.353.0

Observed Behavior

npm audit fix --force

fix available via `npm audit fix --force`
Will install @aws-sdk/[email protected], which is outside the stated dependency range
node_modules/fast-xml-parser
  @aws-sdk/client-s3  <=3.6.2 || 3.7.0 - 3.347.0
  Depends on vulnerable versions of @aws-sdk/client-sts
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/client-s3
  @aws-sdk/client-sts  <=3.54.1 || 3.55.0 - 3.186.1 || 3.188.0 - 3.335.0 || 3.337.0 - 3.347.0
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/client-sts
    @aws-sdk/client-secrets-manager  3.12.0 - 3.347.0
    Depends on vulnerable versions of @aws-sdk/client-sts
    node_modules/@aws-sdk/client-secrets-manager

package.json

"dependencies": {
    "@aws-sdk/client-s3": "^3.353.0",
    "@aws-sdk/client-secrets-manager": "^3.353.0",
    "@aws-sdk/s3-request-presigner": "^3.353.0",
}

Steps to Reproduce:

Run npm audit fix --force command.

Expected Behavior:

The npm audit fix command should resolve vulnerabilities and install dependencies within the specified range.

Actual Behavior:

The command attempts to install @aws-sdk/[email protected], which is not within the allowed dependency range.

Affected Packages:

@aws-sdk/[email protected]
fast-xml-parser

Dependency Range Violations:

@aws-sdk/client-secrets-manager: Allowed range is 3.12.0 - 3.347.0, but 3.353.0 is being installed.
@aws-sdk/client-s3: Allowed range is <=3.6.2 || 3.7.0 - 3.347.0, but dependency on @aws-sdk/client-sts violates this range.
@aws-sdk/client-sts: Allowed range is <=3.54.1 || 3.55.0 - 3.186.1 || 3.188.0 - 3.335.0 || 3.337.0 - 3.347.0, but dependency on fast-xml-parser violates this range.

[MixMasterT]

I'm also struggling with this.

I looked into my package-lock.json file, and the details in the console after running npm audit fix.

It looks like the offending nested dependency is fast-xml-parser, but that appears to be fixed in v4.2.4, which is the version in my package-lock file.

So it looks like this could possibly be a false-positive coming from npm.

And I am not sure if this is at all related, but there appears to be an out-of-order release (a few back) that is listed as version 3.6.3 despite the current latest being 3.353.1.

Also, the output of npm audit shows 3 "low" vulnerabilities for 3.353.0, and three "high" vulnerabilities for v3.353.1, but with the same cause (coming from fast-xml-parser). This seems odd.

[borfig]

The fast-xml-parser dependency have:

• a high severity vulnerability for <4.2.4 (GHSA-6w63-h3fj-q4vw); and -
• a low severity vulnerability for =4.2.4 (GHSA-gpv5-7x3g-ghjv)

Therefore we must wait for fast-xml-parser to issue a fix and then aws-sdk-js-v3 to update the dependency.

[vivek-mahajan-xero]

Any updates on it.

[fernandopioli]

I've noticed that anyone opened an issue in the lib "fast-xml-parser". Should we do that?

[RanVaknin]

Hi @borfig @vivek-mahajan-xero @fernandopioli @MixMasterT @musabibnsiraj ,
The latest version of the SDK uses the most up to date version of fast-xml-parser (4.2.4). The use case for this dependency is parsing xml responses, and since the SDK uses HTTPS, "man in the middle" attack is unlikely.

That being said we can take a look and see if there's anything we can do on our end.

Thanks,
Ran~

[david-robinson-practiceweb]

Looks like there is an upstream issue for the advisory
NaturalIntelligence/fast-xml-parser#591
It appears that the high security issue was fixed as part of GHSA-6w63-h3fj-q4vw
but then the new advisory GHSA-gpv5-7x3g-ghjv was raised due to the validation method used in the fix.

[fernandopioli]

The fast-xml-parser maintainer is not responding to thread in the repo (it's been 2 days), how should AWS handle this?
thanks

[david-robinson-practiceweb]

It looks like fast-xml-parser 4.2.5 has been released now https://www.npmjs.com/package/fast-xml-parser/v/4.2.5

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.