Skip to content

[Security] Vulnerable bundledDependencies in @aws-amplify/data-construct@1.17.1 #3464

Description

@takami-dma-ltd-jp

Description

@aws-amplify/data-construct@1.17.1 (and @aws-amplify/graphql-api-construct@1.21.1) ship vulnerable packages in bundledDependencies. Since bundled dependencies are packed inside the npm tarball, consumers cannot override them via npm overrides or resolutions.

Affected bundled packages

Package Bundled Version Advisory Severity
fast-xml-parser 5.5.2 GHSA-jmr7-xgp7-cmfj Critical
fast-xml-parser 5.5.2 GHSA-8gc5-j5rx-235r High
fast-xml-parser 5.5.2 GHSA-m7jm-9gc2-mpf2 High
fast-xml-parser 5.5.2 GHSA-fj3w-jwp8-x2g3 Moderate
lodash 4.17.23 GHSA-f23m-r3pf-42rh High
lodash 4.17.23 GHSA-r5fr-rjxr-66jc Moderate
@smithy/config-resolver <4.4.0 GHSA-6475-r3vj-m8vf Low

Expected behavior

Update the bundled dependencies to patched versions before publishing a new release:

  • fast-xml-parser>=5.5.7 (or remove from bundledDependencies)
  • lodash → replace with individual lodash methods or a non-vulnerable alternative
  • @smithy/config-resolver>=4.4.0

Environment

  • @aws-amplify/data-construct: 1.17.1
  • @aws-amplify/graphql-api-construct: 1.21.1
  • Node.js: 20.x
  • npm: 10.x

Additional context

npm overrides do not affect bundledDependencies since they are pre-packed in the tarball. The only fix is to update and republish the package.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions