Skip to content

fix: resolve high dependabot vulnerabilities#3505

Merged
Simone319 merged 12 commits into
mainfrom
fix/high-dependabot-vulnerabilities
Jul 9, 2026
Merged

fix: resolve high dependabot vulnerabilities#3505
Simone319 merged 12 commits into
mainfrom
fix/high-dependabot-vulnerabilities

Conversation

@Simone319

@Simone319 Simone319 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves open high-severity Dependabot alerts, and includes the collateral source/test fixes required by the aws-cdk-lib bump those alerts pulled in.

Dependency vulnerability resolutions

  • ws (CVE: memory-exhaustion DoS from many HTTP headers): bumped direct deps ^7.5.7^7.5.11 and ^8.18.0^8.21.0, and added root resolution ws: >=7.5.11.
  • form-data (CVE: unsafe random boundary in multipart requests): added resolution form-data: >=4.0.6 in the root and scripts/ manifests. Transitive (via axios), so a resolution is used.
  • js-cookie (CVE: per-instance prototype hijack in assign()): added root resolution js-cookie: >=3.0.7. Transitive (via amazon-cognito-identity-js), so a resolution is used.
  • uuid: root resolution uuid: ^11.1.1 (retained).
  • aws-cdk-lib: bumped 2.224.02.260.0 (root resolution + amplify-data-construct and amplify-graphql-api-construct manifests), with constructs 10.3.010.5.0. This is the driver behind the changes below.

aws-cdk-lib 2.260 collateral fixes

  • DynamoDB GSI accessor: aws-cdk-lib (as of 2.252) renamed the private globalSecondaryIndexes/localSecondaryIndexes arrays on the DynamoDB L2 Table to _globalSecondaryIndexes/_localSecondaryIndexes (now ArrayBoxes exposing the same find/some surface and element shape). Reading the old names threw a TypeError. Updated to read the renamed field first with a fallback to the public name (Amplify's managed-table construct keeps the public arrays) in:
    • amplify-graphql-relational-transformer/src/resolvers.ts
    • amplify-graphql-transformer-core/src/utils/schema-utils.ts
    • amplify-graphql-conversation-transformer/src/transformer-steps/conversation-resolver-generator.ts
  • base-cdk e2e snapshot (test-only): regenerated snapshot keys aws-cdk-lib@2.224.0aws-cdk-lib@2.260.0.
  • custom-logic reverse.ts (test-only): converted the Lambda handler from callback-style to async. Runtime.NODEJS_LATEST resolves to nodejs24.x from 2.260, which dropped support for callback-style handlers.
  • jsonServer fixture (test-only): aws-cdk CLI ~2.1101.0~2.1129.0 (cloud-assembly schema 54 compatibility with aws-cdk-lib 2.260), aws-cdk-lib ~2.224.0~2.260.0, constructs ^10.3.0^10.5.0.

Regenerated .jsii, yarn.lock files, and dependency_licenses.txt accordingly.

Test plan

  • pr-workflow passes
  • e2e-workflow (api_gql + cdk) passes

@Simone319 Simone319 requested review from a team as code owners June 30, 2026 15:45
@Simone319 Simone319 marked this pull request as draft July 1, 2026 09:28
Simone319 added a commit that referenced this pull request Jul 7, 2026
…aws-cdk-lib 2.260 (globalSecondaryIndexes no longer populated) [#3505]

aws-cdk-lib 2.260 renamed the private DynamoDB L2 Table field
`globalSecondaryIndexes`/`localSecondaryIndexes` to
`_globalSecondaryIndexes`/`_localSecondaryIndexes` (now ArrayBox-backed,
same `.some`/`.find`/`.length` surface and `{ indexName, keySchema }`
element shape). The transformer read the old names, yielding `undefined`
and `TypeError: Cannot read properties of undefined (reading 'some'/'find')`,
breaking 63 relational unit tests plus a conversation unit test.

Read the renamed field first, falling back to the public
`globalSecondaryIndexes` used by Amplify's managed-table construct, so the
duplicate-index-name dedupe is preserved (not disabled) for both table types.

Sites fixed:
- amplify-graphql-relational-transformer/src/resolvers.ts (3 reads)
- amplify-graphql-transformer-core/src/utils/schema-utils.ts (getKeySchema)
- amplify-graphql-conversation-transformer conversation-resolver-generator.ts
Simone319 added 8 commits July 7, 2026 21:26
…lib, js-cookie)

- ws: bump to ^7.5.11/^8.21.0 + resolution >=7.5.11 (memory exhaustion DoS)
- form-data: add resolution >=4.0.6 (CRLF injection)
- aws-cdk-lib: bump 2.224.0 → 2.246.0 (OS command injection in NodejsFunction)
- js-cookie: add resolution >=3.0.7 (prototype hijack cookie-attribute injection)
TableProps.partitionKey and GlobalSecondaryIndexProps.partitionKey
became Attribute | undefined in aws-cdk-lib 2.246.0. The construct
guarantees these are always provided, so non-null assertions are safe.
…46.0 compatibility

aws-cdk-lib@2.246.0 requires constructs@^10.5.0 as a peer dependency.
Also updates peerDependencies in jsii-published packages to ^2.246.0
so that jsii validation passes.
….246.0

The peerDependency bump to ^2.246.0 was a breaking change for consumers
on older CDK versions. Reverted to ^2.224.0 for backward compatibility.
The vulnerability is still fixed via the yarn resolution + devDependency.

Updated e2e test defaults from 2.224.0 to 2.246.0 so tests install
the patched CDK version.
aws-cdk-lib@2.246.0 produces cloud assembly schema v53 which requires
CDK CLI >= 2.1125.0. The jsonServer used ~2.1101.0 (max schema v50).
…flict

aws-cdk-lib@2.246.0 has an internal dependency conflict:
it depends on @aws-cdk/cloud-assembly-api@^2.2.0 (resolves to 2.2.6)
which requires @aws-cdk/cloud-assembly-schema@>=54.5.0, but aws-cdk-lib
only provides @aws-cdk/cloud-assembly-schema@^53.0.0.

aws-cdk-lib@2.260.0 fixes this by depending on schema@^54.0.0.
…aws-cdk-lib 2.260 (globalSecondaryIndexes no longer populated) [#3505]

aws-cdk-lib 2.260 renamed the private DynamoDB L2 Table field
`globalSecondaryIndexes`/`localSecondaryIndexes` to
`_globalSecondaryIndexes`/`_localSecondaryIndexes` (now ArrayBox-backed,
same `.some`/`.find`/`.length` surface and `{ indexName, keySchema }`
element shape). The transformer read the old names, yielding `undefined`
and `TypeError: Cannot read properties of undefined (reading 'some'/'find')`,
breaking 63 relational unit tests plus a conversation unit test.

Read the renamed field first, falling back to the public
`globalSecondaryIndexes` used by Amplify's managed-table construct, so the
duplicate-index-name dedupe is preserved (not disabled) for both table types.

Sites fixed:
- amplify-graphql-relational-transformer/src/resolvers.ts (3 reads)
- amplify-graphql-transformer-core/src/utils/schema-utils.ts (getKeySchema)
- amplify-graphql-conversation-transformer conversation-resolver-generator.ts
@Simone319 Simone319 force-pushed the fix/high-dependabot-vulnerabilities branch from 02558f4 to 481b874 Compare July 7, 2026 21:36
Simone319 added 4 commits July 8, 2026 09:15
…60.0 (matrix bump left stale 2.224.0 snapshot) [#3505]
…nodejs24.x default from aws-cdk-lib 2.260 dropped callback handlers) [#3505]
…ulnerabilities

# Conflicts:
#	packages/amplify-data-construct/.jsii
#	packages/amplify-graphql-api-construct/.jsii
…cdk-lib 2.260 cloud-assembly schema 54 (#3505 HttpTransformerV2)
@Simone319 Simone319 marked this pull request as ready for review July 9, 2026 09:00
@sarayev

sarayev commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

The GSI access pattern (table['_globalSecondaryIndexes'] ?? table.globalSecondaryIndexes) is reaching into CDK private internals — which is what broke in the first place when CDK renamed these fields. The fallback helps today, but we're still coupled to implementation details that can change in any minor release.

A more stable alternative would be reading from the L1 CfnTable, which exposes GSIs as public API:

const cfnTable = table.node.defaultChild as CfnTable;
const gsis = Stack.of(table).resolve(cfnTable.globalSecondaryIndexes) ?? [];

This won't break with L2 internal refactors. Also worth centralizing into a single shared utility since the same pattern is duplicated across 3 packages — next time CDK changes something, we'd only need to fix it in one place.

@Simone319

Copy link
Copy Markdown
Contributor Author

Thanks @sarayev — agree the private-field coupling isn't ideal long-term. Two issues with the CfnTable approach for this PR, though:

1. It breaks Amplify's managed tables. For the managed DDB strategy the table is AmplifyDynamoDBTable extends Resource, whose node.defaultChild is a CustomResource, not a CfnTable — it keeps GSIs on its own array. So (defaultChild as CfnTable).globalSecondaryIndexes ?? [] resolves to [] there, silently disabling the duplicate-index-name check in resolvers.ts, mis-wiring key schema in schema-utils.ts, and throwing at synth in the conversation transformer. The ?? globalSecondaryIndexes fallback is specifically there to cover both the standard Table and this managed construct.

2. Property casing. Stack.of(table).resolve(cfnTable.globalSecondaryIndexes) renders CFN-cased IndexName/KeySchema, but the callers read .indexName / .keySchema — so find/some would return undefined even on a standard Table without a normalization layer.

Given both, I'd keep the current accessor for this security-fix PR (it's validated e2e-green). Happy to take the centralization idea (single shared helper) as a separate follow-up.

@sarayev

sarayev commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Thanks for the detailed explanation — makes sense, especially the AmplifyDynamoDBTable case. LGTM, happy to see the centralization follow-up when it comes.

@sarayev sarayev left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Simone319 Simone319 merged commit ebaf1e0 into main Jul 9, 2026
6 of 7 checks passed
@Simone319 Simone319 deleted the fix/high-dependabot-vulnerabilities branch July 9, 2026 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants