security: update axios and yargs-parser

mobileposse / auto-delete-bucket

Custom resource for automatically deleting S3 bucket contents when the stack deletes

MIT License

45 stars 18 forks source link

security: update axios and yargs-parser #20

Open AlJohri opened 3 years ago

AlJohri commented 3 years ago

❯ npm audit
# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
No fix available
node_modules/axios
  @mobileposse/auto-delete-bucket  *
  Depends on vulnerable versions of axios
  node_modules/@mobileposse/auto-delete-bucket

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
No fix available
node_modules/yargs-parser
  meow  5.0.0 - 6.0.1
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    ts-clean  *
    Depends on vulnerable versions of meow
    node_modules/ts-clean

5 vulnerabilities (3 low, 2 high)

Some issues need review, and may require choosing
a different dependency.

danconner-vertex commented 3 years ago

our team would also be grateful for this upgrade.

rwpswami commented 3 years ago

I think Axios has upgraded. Waiting for a new release.

E-Rick commented 3 years ago

Hey @rwpswami @danconner-vertex ,

The option to auto delete objects upon bucket removal was added to the core functionality of aws-cdk recently. aws-cdk#3297 🥳

You just have to enable the autoDeleteObjects option and set removal policy to RemovalPolicy.DESTROY when creating the S3 bucket.

const bucket = new Bucket(this, 'MyTempFileBucket', {
  removalPolicy: RemovalPolicy.DESTROY,
  autoDeleteObjects: true,
});

See the official AWS CDK documentation