Skip to content

Commit 7330f78

Browse files
keenwilsonKeen Wilson
keenwilson
and
Keen Wilson
authored
deps(dependencies): Address high-severity vulnerabilities by updating dependencies (aws#5511)
## Problem The aws-toolkit-vscode repository has several high-severity vulnerabilities in its dependencies, as identified by the npm audit command. These vulnerabilities, if left unaddressed, could pose a security risk to users of the AWS Toolkit for VS Code extension. The vulnerabilities include: - elliptic package versions 2.0.0 to 6.5.6 have multiple vulnerabilities related to EDDSA, ECDSA, and BER-encoded signatures. - es5-ext package versions 0.10.1 to 0.10.62 are vulnerable to Regular Expression Denial of Service (ReDOS) in the function#copy and function#toStringTokens functions. - fast-xml-parser package versions prior to 4.4.1 are vulnerable to ReDOS at currency parsing. ## Solution To address these high-severity vulnerabilities, this pull request updates the dependencies in the aws-toolkit-vscode repository: - The elliptic package is upgraded from version 6.5.3 to 6.5.4 to address the EDDSA, ECDSA, and BER-encoded signatures vulnerabilities. - The es5-ext package is upgraded from version 0.10.53 to 0.10.62 to address the ReDOS vulnerability in the function#copy and function#toStringTokens functions. - The fast-xml-parser package is upgraded from version 3.19.0 to 4.4.1 to address the ReDOS vulnerability at currency parsing. ## Implementation Details: By updating the following top level dependencies, the underlying transitive dependencies with the vulnerabilities were updated to a safe version: - `@aws-sdk/client-cognito-identity` - `@aws-sdk/client-lambda` --- <!--- REMINDER: Ensure that your PR meets the guidelines in CONTRIBUTING.md --> License: I confirm that my contribution is made under the terms of the Apache 2.0 license. Co-authored-by: Keen Wilson <[email protected]>
1 parent 1d17ced commit 7330f78

File tree

3 files changed

+4833
-1801
lines changed

3 files changed

+4833
-1801
lines changed

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
## [Unreleased]
2+
3+
### Fixed
4+
- Addressed high-severity vulnerabilities in dependencies by updating `elliptic` to 6.5.4, `es5-ext` to 0.10.62, and `fast-xml-parser` to 4.4.1. [#5511](https://github.com/aws/aws-toolkit-vscode/pull/5511)

0 commit comments

Comments
 (0)