Pinned @aws-sdk version bring ReDOS vulnerability CVE-2024-41818

shelfio / jest-dynamodb

Jest preset for DynamoDB local server

MIT License

181 stars 38 forks source link

Pinned @aws-sdk version bring ReDOS vulnerability CVE-2024-41818 #257

Closed joshuanapoli closed 1 month ago

joshuanapoli commented 1 month ago

Since the @aws-sdk package versions are tightly pinned, it brings the vulnerability CVE-2024-41818 to all projects that depend on jest-dynmoadb.

I think that merging https://github.com/shelfio/jest-dynamodb/pull/215 would solve the problem.

Or we could loosen the version spec. This would also have the benefit to users of jest-dynamodb of not necessarily ending up with multiple versions of the SDK.

joshuanapoli commented 1 month ago

Thank you for releasing v3.5.0! It solves the transitive dependency ReDOS vulnerability alert.