Request to have various CVE vulnerabilities addressed

[mheironimus-rgare]

Feature Request

This is a request to address the following CVE vulnerabilities present in serverless-offline as identified by the OWASP dependency-check tool:

• CVE-2020-25649: A flaw was found in FasterXML Jackson Databind...
• CVE-2020-36518: jackson-databind before 2.13.0 allows a Java StackOverflow exception...
• CVE-2022-42003: In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur...
• CVE-2022-42004: In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur...

Sample package.json

{
  "name": "serverless-offline-cve-issues",
  "version": "1.0.0",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "devDependencies": {
    "serverless-offline": "^11.3.0"
  }
}

Expected behavior/code

Running the OWASP dependency-check tool against the serverless-offline project would not uncover any CVE vulnerabilities.

Additional context/Screenshots

It appears the issues identified above relate to the java-invoke-local-all.jar file located in the java-invoke-local package, which is listed as a dependency in the serverless-offline package.json file.

[dnalborczyk]

thank you for for filing the issue @mheironimus-rgare

the problem is that as you mentioned the above CVEs are related to the java-invoke-local package and also java related. ideally that package would fix the dependencies itself, as we can't do much about it - other than forking that package or removing jvm support altogether.

on the bright side, serverless-offline is a local development dependency, where the above CVEs likely don't apply. (just a bad guess)