search

m-radzikowski / aws-sdk-client-mock

AWS JavaScript SDK v3 mocks for easy unit testing. 🖋️ Typed 🔬 Tested 📄 Documented 🛠️ Maintained
https://m-radzikowski.github.io/aws-sdk-client-mock/
MIT License
791 stars 39 forks source link

Need to update sinon for path-to-regexp vulnerability GHSA-9wv6-86v2-598j #238

Open jeffbski-rga opened 1 week ago

jeffbski-rga commented 1 week ago

You might merge in the PR #237 to resolve this

npm audit report

path-to-regexp 0.2.0 - 7.2.0 Severity: high path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j No fix available node_modules/path-to-regexp nise <=6.0.0 Depends on vulnerable versions of path-to-regexp node_modules/nise sinon 3.0.0 - 17.0.2 Depends on vulnerable versions of nise node_modules/sinon aws-sdk-client-mock Depends on vulnerable versions of sinon node_modules/aws-sdk-client-mock aws-sdk-client-mock-jest Depends on vulnerable versions of aws-sdk-client-mock node_modules/aws-sdk-client-mock-jest

mrRodrigo commented 6 days ago

I overrided the sinon version to 18.0.0 in package.json to avoid the vulnerability and all features that I use from aws-sdk-client-mock still working.

to reproduce in your projects add this in package.json:

   "overrides": {
        "sinon": "^18.0.0"
    }
jeffbski-rga commented 6 days ago

Thanks @mrRodrigo I also am doing so while waiting for this to land in master. I used a more specific override for this package.

  "overrides": {
    "aws-sdk-client-mock": {
      "sinon": "^18.0.1",
      "@types/sinon": "^17.0.3"
    }
  },