Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fast-xml-parser dependency has a vulnerability #4870

Closed
3 tasks done
jdforsythe opened this issue Jun 22, 2023 · 5 comments
Closed
3 tasks done

fast-xml-parser dependency has a vulnerability #4870

jdforsythe opened this issue Jun 22, 2023 · 5 comments
Assignees
@kuhe @yenfryherrerafeliz
Labels
bug This issue is a bug. p1 This is a high priority issue queued This issues is on the AWS team's backlog SECURITY SECURITY ISSUE

Comments

@jdforsythe
Copy link

Checkboxes for prior research

Describe the bug

$ yarn audit --groups dependencies
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ fast-xml-parser regex vulnerability patch could be improved  │
│               │ from a safety perspective                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fast-xml-parser                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @aws-sdk/client-s3                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @aws-sdk/client-s3 > fast-xml-parser                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092278                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ fast-xml-parser regex vulnerability patch could be improved  │
│               │ from a safety perspective                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fast-xml-parser                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @aws-sdk/client-s3                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @aws-sdk/client-s3 > @aws-sdk/client-sts > fast-xml-parser   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092278                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

SDK version number

@aws-sdk/[email protected]

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

all

Reproduction Steps

Run npm audit

Observed Behavior

vulnerability present

Expected Behavior

no vulnerability present

Possible Solution

No patch appears to be available yet. Track fast-xml-parser for an update.

Additional Information/Context

https://www.npmjs.com/advisories/1092278

@bkaws @RanVaknin here we go again!

I did double-check this time, and v3.357.0 is the newest version.
@jdforsythe jdforsythe added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 22, 2023
@jdforsythe
Copy link
Author

Tracking issue: NaturalIntelligence/fast-xml-parser#591

@aaleksandrov
Copy link

fast-xml-parser author has just published a fixed version v 4.2.5
https://www.npmjs.com/package/fast-xml-parser

@yenfryherrerafeliz
Copy link
Contributor

Hi @jdforsythe, thanks for reporting this. We are currently working on getting a patch for this.

Thanks!

@yenfryherrerafeliz yenfryherrerafeliz added SECURITY SECURITY ISSUE p1 This is a high priority issue queued This issues is on the AWS team's backlog and removed needs-triage This issue or PR still needs to be triaged. labels Jun 22, 2023
@yenfryherrerafeliz yenfryherrerafeliz self-assigned this Jun 22, 2023
@kuhe kuhe mentioned this issue Jun 23, 2023
Merged
@kuhe kuhe self-assigned this Jun 23, 2023
@kuhe
Copy link
Contributor

kuhe commented Jun 23, 2023

fast-xml-parser dependency is set to 4.2.5 in the following released version:
https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.359.0

@kuhe kuhe closed this as completed Jun 23, 2023
@github-actions
Copy link

github-actions bot commented Jul 8, 2023

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@kuhe kuhe

@yenfryherrerafeliz yenfryherrerafeliz

Labels
bug This issue is a bug. p1 This is a high priority issue queued This issues is on the AWS team's backlog SECURITY SECURITY ISSUE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jdforsythe @kuhe @aaleksandrov @yenfryherrerafeliz