V5 Vulnerability fix: bump xml-parser to v4.4.1 for V5

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.

https://docs.amplify.aws/lib/q/platform/js

Apache License 2.0

9.42k stars 2.12k forks source link

V5 Vulnerability fix: bump xml-parser to v4.4.1 for V5 #13657

Closed jackirvine97 closed 1 month ago

jackirvine97 commented 1 month ago

Is this related to a new or existing framework?

React

Is this related to a new or existing API?

Authentication

Is this related to another service?

No response

Describe the feature you'd like to request

Amplify js v5 uses node library xml-parser < v4.4.1
xml parser <v4.4.1 is exposed to https://github.com/advisories/GHSA-mpg4-rc92-vx8v
this is preventing production deployments for apps using v5

Describe the solution you'd like

Given the complexity and time required to migrate from v5 to v6, can this dependency be bumped so v5 apps are not blocked from deployments and not exposed to this vulnerability

Describe alternatives you've considered

n/a

Additional context

n/a

Is this something that you'd be interested in working on?

[ ] 👋 I may be able to implement this feature request
[ ] ⚠️ This feature might incur a breaking change

jackirvine97 commented 1 month ago

Is #13663 the resolution?

cwomack commented 1 month ago

Hello, @jackirvine97 and thank you for opening this issue. As you already saw, PR #13663 is indeed the resolution to this! The release for this will happen within the next week, but we are working on getting it to build on the "unstable" branch. We'll update this issue when that's ready, as well as when the release happens that includes this.

jackirvine97 commented 1 month ago

Brilliant @cwomack , thank you so much for the update and for patching though this fix

mcintoac-aws commented 1 month ago

@cwomack Just wanting to double check that the resolution in PR #13663 is enough to fix the issue? There are exact dependency versions for various @aws-sdk packages specified within some @aws-amplify packages that are also vulnerable, the @aws-sdk packages have been updated to "3.621.0" and might require dependency updates in the amplify packages as well.

jackirvine97 commented 1 month ago

Other than upgrading to v6, skipping "high" vulnerabilities in my node audit run, or moving to a CICD where I can do a targeted ignore of CVEs, I assume there are no other workarounds? (I have a PRD patch hanging off this)

haverchuck commented 1 month ago

Some context can be found here: https://github.com/aws/aws-sdk-js-v3/issues/6331#issuecomment-2258446110

ashika112 commented 1 month ago

Hi everyone, the fix for this is now released on version 5.3.21. Please let us know if there are any question or comments on the fix.

navv-christofer-flores commented 1 month ago

@ashika112 What about aws-amplify v6? I'm having this issue on the latest version too 6.5.0:

ashika112 commented 3 weeks ago

@navv-christofer-flores v6 has the fix as well. In your screenshot I see fast-xml-parser@4.4.1 that version does not have the vulnerability. it was the version the fix was released by fast-xml-parser library.