Code Monkey home page Code Monkey logo

Comments (6)

carolabadeer avatar carolabadeer commented on June 27, 2024 2

Node SDK v3.5.1, which includes the fix for this security vulnerability, has been released
https://github.com/aws/aws-xray-sdk-node/releases/tag/aws-xray-sdk-node%403.5.1

from aws-xray-sdk-node.

jhonnycordova avatar jhonnycordova commented on June 27, 2024

Hello. Are you planning to fix this? Any workaround I can use in the meantime?. Thanks

from aws-xray-sdk-node.

carolabadeer avatar carolabadeer commented on June 27, 2024

Hi @rpodwika and @jhonnycordova, thanks for raising this issue

Do you mind clarifying where v5.7.1 is being brought in? I see semver v7.3.8 in the aws-xray-sdk-core package dependencies and semver v6.3.0 being pulled in from cls-hooked

PR #598 fixes the core package version, but the version being pulled in from cls-hooked is a transitive dependency

from aws-xray-sdk-node.

kryten87 avatar kryten87 commented on June 27, 2024

The cls-hooked package on the master branch does indeed have semver v6.3.0, but the v4.2.2 tag has semver v5.4.1. I'm not sure where 5.7.1 is coming from. In any event, the vulnerability described in the link above affects any version of semver prior to 7.5.2, so even installing from master will not resolve the problem.

The version from cls-hooked may be transitive, but it is enough to cause npm audit to complain.

from aws-xray-sdk-node.

cortexcompiler avatar cortexcompiler commented on June 27, 2024

I am seeing this vulnerability flagged for any version of semver < 7.5.2:
https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795

The paths given where it is introduced through are:

[email protected] > [email protected] > [email protected]
[email protected] > [email protected] > [email protected] > [email protected]

Note that this is flagged as a high severity vulnerability.

from aws-xray-sdk-node.

carolabadeer avatar carolabadeer commented on June 27, 2024

Hi all, thank you for your responses! We are actively working on a fix

from aws-xray-sdk-node.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.