search

aws / aws-toolkit-vscode

Amazon Q, CodeCatalyst, Local Lambda debug, SAM/CFN syntax, ECS Terminal, AWS resources
https://marketplace.visualstudio.com/items?itemName=AmazonWebServices.amazon-q-vscode
Apache License 2.0
1.41k stars 346 forks source link

fix: update high vulnerability npm packages #5202

Closed 32teeth closed 1 week ago

32teeth commented 1 week ago

Problem

[!CAUTION] Running npm audit reports 2 high severity vulnerability braces + ws

Braces

[!WARNING] Uncontrolled resource consumption in braces The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

WS

[!WARNING] ws affected by a DoS when handling a request with many HTTP headers A request with a number of headers exceeding the server.maxHeadersCount threshold could be used to crash a ws server.

Solution

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

justinmk3 commented 1 week ago

The "package test" CI is failing. Does this command pass locally? https://github.com/aws/aws-toolkit-vscode/blob/8ee7242fc443b37d622b59b5f19f7a086f3cf05d/buildspec/packageTestVsix.yml#L30