Vulnerability on fast-xml-parser #7700
Description
Checkboxes for prior research
- I've gone through Developer Guide and API reference
- I've checked AWS Forums and StackOverflow.
- I've searched for previous similar issues and didn't find any solution.
Describe the bug
Hello,
We are currently using @aws-sdk/client-s3 version 3.980.0, which depends on @aws-sdk/xml-builder internally. This library imports fast-xml-parser version 5.2.5, which contains a known vulnerability listed here: GHSA-37qj-frw5-hhjh. This issue is fixed in version 5.3.4.
Would it be possible to update to this newer version to address the vulnerability?
Regression Issue
- Select this option if this issue appears to be a regression.
SDK version number
@aws-sdk/client-s3@3.980.0, @aws-sdk/xml-builder@3.972.0
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
22.12.0
Reproduction Steps
Run npm audit on the project. Getting:
fast-xml-parser has RangeError DoS Numeric Entities Bug - https://github.com/advisories/GHSA-37qj-frw5-hhjh
fix available via `npm audit fix`
node_modules/fast-xml-parser
@aws-sdk/xml-builder >=3.894.0
Depends on vulnerable versions of fast-xml-parser
node_modules/@aws-sdk/xml-builder
@aws-sdk/core >=3.894.0
Depends on vulnerable versions of @aws-sdk/xml-builder
node_modules/@aws-sdk/core
@aws-sdk/client-s3 >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
Depends on vulnerable versions of @aws-sdk/credential-provider-node
Depends on vulnerable versions of @aws-sdk/middleware-flexible-checksums
Depends on vulnerable versions of @aws-sdk/middleware-sdk-s3
Depends on vulnerable versions of @aws-sdk/middleware-user-agent
Depends on vulnerable versions of @aws-sdk/signature-v4-multi-region
Depends on vulnerable versions of @aws-sdk/util-user-agent-node
node_modules/@aws-sdk/client-s3
@aws-sdk/client-sso >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
Depends on vulnerable versions of @aws-sdk/middleware-user-agent
Depends on vulnerable versions of @aws-sdk/util-user-agent-node
node_modules/@aws-sdk/client-sso
@aws-sdk/credential-provider-env >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
node_modules/@aws-sdk/credential-provider-env
@aws-sdk/credential-provider-http >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
node_modules/@aws-sdk/credential-provider-http
@aws-sdk/credential-provider-node >=3.894.0
Depends on vulnerable versions of @aws-sdk/credential-provider-env
Depends on vulnerable versions of @aws-sdk/credential-provider-http
Depends on vulnerable versions of @aws-sdk/credential-provider-ini
Depends on vulnerable versions of @aws-sdk/credential-provider-process
Depends on vulnerable versions of @aws-sdk/credential-provider-sso
Depends on vulnerable versions of @aws-sdk/credential-provider-web-identity
node_modules/@aws-sdk/credential-provider-node
@aws-sdk/credential-provider-ini >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
Depends on vulnerable versions of @aws-sdk/credential-provider-env
Depends on vulnerable versions of @aws-sdk/credential-provider-http
Depends on vulnerable versions of @aws-sdk/credential-provider-login
Depends on vulnerable versions of @aws-sdk/credential-provider-process
Depends on vulnerable versions of @aws-sdk/credential-provider-sso
Depends on vulnerable versions of @aws-sdk/credential-provider-web-identity
Depends on vulnerable versions of @aws-sdk/nested-clients
node_modules/@aws-sdk/credential-provider-ini
@aws-sdk/credential-provider-login *
Depends on vulnerable versions of @aws-sdk/core
Depends on vulnerable versions of @aws-sdk/nested-clients
node_modules/@aws-sdk/credential-provider-login
@aws-sdk/credential-provider-process >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
node_modules/@aws-sdk/credential-provider-process
@aws-sdk/credential-provider-sso >=3.894.0
Depends on vulnerable versions of @aws-sdk/client-sso
Depends on vulnerable versions of @aws-sdk/core
Depends on vulnerable versions of @aws-sdk/token-providers
node_modules/@aws-sdk/credential-provider-sso
@aws-sdk/credential-provider-web-identity >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
Depends on vulnerable versions of @aws-sdk/nested-clients
node_modules/@aws-sdk/credential-provider-web-identity
@aws-sdk/middleware-flexible-checksums >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
node_modules/@aws-sdk/middleware-flexible-checksums
@aws-sdk/middleware-sdk-s3 >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
node_modules/@aws-sdk/middleware-sdk-s3
@aws-sdk/signature-v4-multi-region >=3.894.0
Depends on vulnerable versions of @aws-sdk/middleware-sdk-s3
node_modules/@aws-sdk/signature-v4-multi-region
@aws-sdk/middleware-user-agent >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
node_modules/@aws-sdk/middleware-user-agent
@aws-sdk/util-user-agent-node >=3.894.0
Depends on vulnerable versions of @aws-sdk/middleware-user-agent
node_modules/@aws-sdk/util-user-agent-node
@aws-sdk/nested-clients >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
Depends on vulnerable versions of @aws-sdk/middleware-user-agent
Depends on vulnerable versions of @aws-sdk/util-user-agent-node
node_modules/@aws-sdk/nested-clients
@aws-sdk/token-providers >=3.894.0
Depends on vulnerable versions of @aws-sdk/core
Depends on vulnerable versions of @aws-sdk/nested-clients
node_modules/@aws-sdk/token-providers
Observed Behavior
This is failing for the latest version.
Expected Behavior
No vulnerabilities issues.
Possible Solution
Update the version of fast-xml-parser
Additional Information/Context
No response