abarke
commented
1 month ago downstream issue https://github.com/aws/aws-iot-device-sdk-js-v2/issues/517
Closed abarke closed 17 hours ago
abarke
commented
1 month ago downstream issue https://github.com/aws/aws-iot-device-sdk-js-v2/issues/517
jmklix
commented
1 month ago Thanks for pointing this out to us. It is currently not an issue for anyone using this sdk, as security vulnerabilities don't affect any of the functions used by this sdk. We will leave this issue open for when we update to the latest ws version.
abarke
commented
1 month ago Thanks for pointing this out to us. It is currently not an issue for anyone using this sdk, as security vulnerabilities don't affect any of the functions used by this sdk. We will leave this issue open for when we update to the latest ws version.
This broke our CI pipeline as we run npm audit as a task. So for now we just ignore it, but for some orgs this might become an issue and break the pipeline. Could you expand on how the security vulnerabilities doesn't affect any of the functions used by this sdk? 🤔
I would assume the mqtt@4.3.8 dependency is used by aws-iot-device-sdk-js-v2 as this is a core feature of using AWS IoT. We use the ws client for connecting MQTT via WebSocket to AWS IoT Core.
bretambrose
commented
1 month ago Thanks for pointing this out to us. It is currently not an issue for anyone using this sdk, as security vulnerabilities don't affect any of the functions used by this sdk. We will leave this issue open for when we update to the latest ws version.
This broke our CI pipeline as we run
npm auditas a task. So for now we just ignore it, but for some orgs this might become an issue and break the pipeline. Could you expand on how the security vulnerabilities doesn't affect any of the functions used by this sdk? 🤔I would assume the
mqtt@4.3.8dependency is used byaws-iot-device-sdk-js-v2as this is a core feature of using AWS IoT. We use thewsclient for connecting MQTT via WebSocket to AWS IoT Core.
From the Github advisory:
A request with a number of headers exceeding the[server.maxHeadersCount](https://nodejs.org/api/http.html#servermaxheaderscount) threshold could be used to crash a ws server.
The vulnerability is in server functionality: handling the headers of an unknown http request (the websocket handshake). We do not use server functionality and the headers in the handshake are either under client control (the request) or IoT Core control (the response).
bretambrose
commented
17 hours ago
Describe the bug
Expected Behavior
No vulnerabilities found
Current Behavior
2 vulnerabilities found Severity: 2 high
Reproduction Steps
npm audit
Possible Solution
Seems
aws-crtis using 2 different major versions ofws@7.5.9andws@8.17.0Solution would be to bump to
mqtt@>=5.7.2Ref to "ws": "^8.17.1": https://github.com/mqttjs/MQTT.js/blob/v5.7.2/package.json#L127Looking at the breaking changes from mqtt 4 > 5 these are only small changes needed/documented: https://github.com/mqttjs/MQTT.js/blob/v5.7.2/CHANGELOG.md
This should solve both issues by using a single
ws@8.17.1asisomorphic-wsdepends on any version being apeerDependency. https://github.com/heineiuo/isomorphic-ws/blob/master/package.json#L27Additional Information/Context
No response
aws-crt-nodejs version used
1.21.2
nodejs version used
22.1.0
Operating System and version
Windows 11