Open terozio opened 1 month ago
Hi @terozio - thanks for reporting.
I'm reaching out to AWS CRT team to address this. Upon checking the current version of axios used in aws-crt, it's specified as ^1.7.2
, which means it should be compatible with versions up to the latest patch release.
In the meantime, while we wait for the aws-crt
maintainers to address this vulnerability, you can update the axios
version in your project's package-lock.json
file to the latest patched version (1.7.4), which should resolve the vulnerability.
For those who come across this issue, the recommended solution is to manually update the axios
version in your package-lock.json file to 1.7.4
until the aws-crt maintainers release an updated version with a non-vulnerable axios
dependency.
aws-crt-nodejs was updated in this PR: https://github.com/awslabs/aws-crt-nodejs/pull/571 When this sdk updates it's dependency of aws-crt-nodejs to v1.21.5, then this vulnerability will be patched.
Checkboxes for prior research
Describe the bug
npm audit
fails when you depend on packages which use aws-crt, because aws-crt depends on a vulnerable version of axios.CVE for axios: https://github.com/advisories/GHSA-8hc4-vh64-cxmj
SDK version number
@aws-sdk/client-dynamodb@3.629
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v20.10.0
Reproduction Steps
npm install @aws-sdk/client-dynamodb
npm audit
npm ls axios
Observed Behavior
Expected Behavior
Expect to have no vulnerabilities.
Possible Solution
No response
Additional Information/Context
Issue in axios repository: https://github.com/axios/axios/issues/6463