Closed remcotm closed 1 year ago
@remcotm we appreciate you for opening this issue. This is currently being investigated and we will provide an update soon.
To add weight to this, I've been battling these vulnerabilities with aws-amplify v5.2.5
as well:
fast-xml-parser <4.2.4
Severity: high
fix available via `npm audit fix --force`
Will install aws-amplify@2.3.0, which is a breaking change
Appreciate your work!
Updating everyone following this issue that PR #11489 is in the works to address this.
The PR to fix this has been released and we have verified that the alert does not appear using the newly released version of the library.
Before opening, please confirm:
JavaScript Framework
Not applicable
Amplify APIs
Not applicable
Amplify Categories
Not applicable
Environment information
Describe the bug
Snyk finds the following vulnerability: https://security.snyk.io/vuln/SNYK-JS-FASTXMLPARSER-5668858
It is introduced through the following paths:
A version without the vulnerability seems to have been released to @aws-sdk/* packages at v3.347.1 (https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.347.1)
Currently some of the dependencies introduced by installing aws-amplify introduce @aws-sdk packages below the version with the fix.
Expected behavior
aws-amplify uses fast-xml-parser version 4.2.4 or higher.
Reproduction steps
Code Snippet
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response