Comments (6)
Node SDK v3.5.1, which includes the fix for this security vulnerability, has been released
https://github.com/aws/aws-xray-sdk-node/releases/tag/aws-xray-sdk-node%403.5.1
from aws-xray-sdk-node.
Hello. Are you planning to fix this? Any workaround I can use in the meantime?. Thanks
from aws-xray-sdk-node.
Hi @rpodwika and @jhonnycordova, thanks for raising this issue
Do you mind clarifying where v5.7.1
is being brought in? I see semver v7.3.8
in the aws-xray-sdk-core package dependencies and semver v6.3.0
being pulled in from cls-hooked
PR #598 fixes the core package version, but the version being pulled in from cls-hooked
is a transitive dependency
from aws-xray-sdk-node.
The cls-hooked
package on the master
branch does indeed have semver
v6.3.0, but the v4.2.2
tag has semver
v5.4.1. I'm not sure where 5.7.1 is coming from. In any event, the vulnerability described in the link above affects any version of semver
prior to 7.5.2, so even installing from master
will not resolve the problem.
The version from cls-hooked
may be transitive, but it is enough to cause npm audit
to complain.
from aws-xray-sdk-node.
I am seeing this vulnerability flagged for any version of semver < 7.5.2:
https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
The paths given where it is introduced through are:
[email protected] > [email protected] > [email protected]
[email protected] > [email protected] > [email protected] > [email protected]
Note that this is flagged as a high severity vulnerability.
from aws-xray-sdk-node.
Hi all, thank you for your responses! We are actively working on a fix
from aws-xray-sdk-node.
Related Issues (20)
- parent.addNewSubsegmentWithoutSampling is not a function HOT 2
- XRay doesn't work with axios HOT 2
- Request for Review: Adding node-fetch support to XRay HOT 2
- [ aws-xray-sdk-fastify] Typo of FastityLoggerInstance AND aws-sdk dependency absent HOT 1
- Linking CloudWatch logs to traces from ECS Fargate HOT 3
- Size of the aws-xray-sdk-core package dependencies (i.e. the bundle) HOT 1
- memory leaks caused by cls-hooked HOT 3
- Adding custom attributes to AWS SDK v3 calls HOT 2
- Please update readme for postgres
- captureAWSv3Client doesn't support SecretManager client HOT 3
- Add support for the lamda-api web framework
- captureAsyncFunc is not working for AWS Lambda with runtime nodejs 16 HOT 1
- Release 3.5.2 HOT 2
- Segment containing BigInt in metadata throws an error when serialized HOT 2
- Cannot find module 'aws-xray-sdk' in nodejs Lambda
- warning message @aws-sdk/service-error-classification is moved to @smithy/service-error-classification
- Support undici HOT 1
- Consider supporting SQL annotations for Athena calls. HOT 1
- Feature Request | ServiceMap in X-Ray Tracing does not show EventBridge and SQS
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-xray-sdk-node.