aws-amplify
Update dev dependencies to update vulnerable Glob dependency
Environment information
System:
OS: macOS 15.3.1
CPU: (10) arm64 Apple M4
Memory: 177.14 MB / 16.00 GB
Shell: /bin/zsh
Binaries:
Node: 23.11.0 - /opt/homebrew/bin/node
Yarn: undefined - undefined
npm: 10.9.2 - /opt/homebrew/bin/npm
pnpm: undefined - undefined
NPM Packages:
@aws-amplify/auth-construct: 1.6.1
@aws-amplify/backend: 1.14.3
@aws-amplify/backend-ai: Not Found
@aws-amplify/backend-auth: 1.5.1
@aws-amplify/backend-cli: 1.8.0
@aws-amplify/backend-data: 1.4.1
@aws-amplify/backend-deployer: 2.1.4
@aws-amplify/backend-function: 1.12.3
@aws-amplify/backend-output-schemas: 1.7.1
@aws-amplify/backend-output-storage: 1.1.5
@aws-amplify/backend-secret: 1.4.1
@aws-amplify/backend-storage: 1.2.6
@aws-amplify/cli-core: 2.2.2
@aws-amplify/client-config: 1.9.0
@aws-amplify/data-construct: 1.15.1
@aws-amplify/data-schema: 1.19.0
@aws-amplify/deployed-backend-client: 1.8.1
@aws-amplify/form-generator: 1.2.5
@aws-amplify/model-generator: 1.2.1
@aws-amplify/platform-core: 1.10.2
@aws-amplify/plugin-types: 1.11.1
@aws-amplify/sandbox: 2.1.3
@aws-amplify/schema-generator: 1.4.1
@aws-cdk/toolkit-lib: 1.6.1
aws-amplify: 6.15.5
aws-cdk-lib: 2.225.0
typescript: 5.8.3
No AWS environment variables
No CDK environment variables
Describe the bug
https://github.com/advisories/GHSA-5j98-mcp5-4vw2
rimraf
@aws-amplify/[email protected] ├─┬ @aws-amplify/[email protected] │ └─┬ @aws-cdk/[email protected] │ ├─┬ @aws-cdk/[email protected] │ │ └── [email protected] deduped │ ├─┬ [email protected] │ │ └─┬ [email protected] │ │ └── [email protected] │ └── [email protected] deduped ├─┬ @aws-amplify/[email protected] │ └─┬ @aws-amplify/[email protected] │ └─┬ @graphql-codegen/[email protected] │ └─┬ @graphql-tools/[email protected] │ └─┬ @ardatan/[email protected] │ └── [email protected] ├─┬ @aws-amplify/[email protected] │ └─┬ @aws-amplify/[email protected] │ └─┬ [email protected] │ └── [email protected] └─┬ @aws-amplify/[email protected] └── [email protected]
Any glob version under 11.1.0 have a high severity vulnerability. HackerOne rejected my ticket because they said it wasn't dangerous enough but this causes failures in any pipelines disallowing high severity issues.
Reproduction steps
- Install the latest version of the CLI
- Run npm audit
Thanks @derek-bc I cannot reproduce this:
$ npm i @aws-amplify/[email protected]
up to date, audited 1324 packages in 1s
182 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
See the last line: found 0 vulnerabilities
I believe the security advisory has been updated to only include actually affected versions. Please let me know if you are still seeing this. Otherwise I will close the issue.
