Skip to content

Commit 134d721

Browse files
aseemxsaseemxs
authored
fix(runtimes): replace mac-ca with native macOS certificate reading (#736)
Remove mac-ca dependency to eliminate transitive undici vulnerability (CVE-2026-22036). Replace with direct calls to macOS security command, which is the same approach mac-ca used internally. This ensures downstream consumers no longer inherit the vulnerable `undici@6.x` dependency through mac-ca. ## Problem `mac-ca@3.1.3` depends on `undici@^6.16.1`, which resolves to `undici@6.22.0` containing CVE-2026-22036 (rated "Strong Negative" by AWS SAS Vendor Guidance). The `overrides` fix in PR #734 only works within this monorepo — npm overrides do not propagate to downstream consumers. So any package that depends on `@aws/language-server-runtimes` (e.g. ECS Console) still gets the vulnerable `undici@6.22.0` through `mac-ca`. Additionally, `mac-ca` has no newer release that bumps `undici`, and the maintainer has not addressed this. ## Solution Replace `mac-ca` with direct calls to the macOS `/usr/bin/security find-certificate` command using Node.js built-in `child_process.spawnSync`. This is the exact same approach `mac-ca` uses internally — we only used its `.get()` method, which is a thin wrapper around that system command. Changes: - `runtimes/runtimes/util/standalone/certificatesReaders.ts` — replaced `require('mac-ca')` with native `spawnSync` calls - `runtimes/package.json` — removed `mac-ca` from dependencies - `package.json` — removed the `mac-ca` override (no longer needed) - `package-lock.json` — regenerated This completely removes `undici` from the dependency tree, fixing the CVE for all downstream consumers. Testing: - `npm run compile` ✅ - `npm run test` — 33/33 passing ✅ - `npm run check:formatting` ✅ - `npm list undici` — empty (confirmed removed) ✅ - All git hooks (pre-commit formatting, commitlint, pre-push) passed ✅ <!--- REMINDER: - Read CONTRIBUTING.md first. - Add test coverage for your changes. - Link to related issues/commits. - Testing: how did you test your changes? - Screenshots if applicable --> ## License By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
1 parent 93f11cb commit 134d721

File tree

4 files changed

+169
-859
lines changed

4 files changed

+169
-859
lines changed

0 commit comments

Comments
 (0)