Description
@aws-amplify/data-construct@1.17.1 (and @aws-amplify/graphql-api-construct@1.21.1) ship vulnerable packages in bundledDependencies. Since bundled dependencies are packed inside the npm tarball, consumers cannot override them via npm overrides or resolutions.
Affected bundled packages
Expected behavior
Update the bundled dependencies to patched versions before publishing a new release:
fast-xml-parser → >=5.5.7 (or remove from bundledDependencies)
lodash → replace with individual lodash methods or a non-vulnerable alternative
@smithy/config-resolver → >=4.4.0
Environment
- @aws-amplify/data-construct: 1.17.1
- @aws-amplify/graphql-api-construct: 1.21.1
- Node.js: 20.x
- npm: 10.x
Additional context
npm overrides do not affect bundledDependencies since they are pre-packed in the tarball. The only fix is to update and republish the package.
Description
@aws-amplify/data-construct@1.17.1(and@aws-amplify/graphql-api-construct@1.21.1) ship vulnerable packages inbundledDependencies. Since bundled dependencies are packed inside the npm tarball, consumers cannot override them via npmoverridesorresolutions.Affected bundled packages
Expected behavior
Update the bundled dependencies to patched versions before publishing a new release:
fast-xml-parser→>=5.5.7(or remove from bundledDependencies)lodash→ replace with individual lodash methods or a non-vulnerable alternative@smithy/config-resolver→>=4.4.0Environment
Additional context
npm
overridesdo not affectbundledDependenciessince they are pre-packed in the tarball. The only fix is to update and republish the package.