aws-sdk version could use updating (Security)

clarkie / dynogels

DynamoDB data mapper for node.js. Originally forked from https://github.com/ryanfitz/vogels

Other

490 stars 110 forks source link

aws-sdk version could use updating (Security) #130

Closed iDVB closed 5 years ago

iDVB commented 6 years ago

Apparently aws-sdk <2.178.0 has a potential vulnerability that is now fixed in >=2.178.0.

https://snyk.io/test/npm/dynogels/8.0.1?severity=high&severity=medium&severity=low

cdhowie commented 6 years ago

Isn't this module only actually used when bundled for a browser? Dynogels is not designed to run in a browser -- you're typically not performing database operations from the frontend.

iDVB commented 6 years ago

@cdhowie you're likely correct. However, that dep currently and validly fires off read flags for Snyk.io and the version of aws-sdk that dynogels currently uses could simply be updated to even just v2.178.0 (not latest) and would still correct the issue.

Shouldn't aws-sdk be a peer dependency anyway? Or since the version differences are only minor aren't the chances high that this would be an non-breaking change to dynogels?

cdhowie commented 5 years ago

Closing this as a duplicate of #148, which has a subtask of updating dependencies to satisfy bitHound (which checks for vulnerabilities).