amplify-cli icon indicating copy to clipboard operation
amplify-cli copied to clipboard
verified publisher icon aws-amplify

@aws-amplify/amplify-cli-core inquirer dependency exposes low severity vulnerability in tmp package

Open brianlenz opened this issue 2 months ago • 2 comments

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

24.8.0

Amplify CLI Version

14.0.1

What operating system are you using?

macOS

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

N/A

Describe the bug

@aws-amplify/amplify-cli-core has a transitive dependency to tmp@^0.0.33, which has a low severity security vulnerability:

      │  └─ @aws-amplify/amplify-cli-core@npm:4.4.2 (via npm:4.4.2)
      │     └─ inquirer@npm:7.3.3 (via npm:^7.3.3)
      │        └─ external-editor@npm:3.1.0 (via npm:^3.0.3)
      │           └─ tmp@npm:0.0.33 (via npm:^0.0.33)

Expected behavior

Dependencies don't expose vulnerabilities.

Reproduction steps

  1. Install @aws-amplify/amplify-cli-core and observe the version of tmp installed has the following vulnerability:

https://github.com/advisories/GHSA-52f5-9888-hmc6

Project Identifier

No response

Log output

No response

Additional information

Upgrading from inquirer 7.3.3 to inquirer 8.2.7 will solve the issue:

https://github.com/SBoudrias/Inquirer.js/issues/1802#issuecomment-3169341642

Before submitting, please confirm:

  • [x] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • [x] I have removed any sensitive information from my code snippets and submission.

brianlenz avatar Sep 26 '25 16:09 brianlenz

https://github.com/aws-amplify/amplify-cli/blob/5464abe68d55faf0b91d4306f119a844abdc6d3d/yarn.lock#L30240-L30256

The yarn.lock shows two versions of tmp package: • tmp@npm:^0.0.33 → version 0.0.33 • tmp@npm:~0.2.1 → version 0.2.1

Vulnerability Range: ≤ 0.2.3

The advisory clearly states: • Vulnerable version range: <= 0.2.3 • First patched version: 0.2.4

Since 0.0.33 < 0.2.3, version 0.0.33 is actually older than the vulnerable range and is not affected by this specific security vulnerability. I am requesting the team for further confirm and review.

pahud avatar Sep 26 '25 18:09 pahud

@pahud As you mentioned, 0.0.33 < 0.2.3. So it IS affected by this vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2025-54798

iankhou avatar Sep 26 '25 18:09 iankhou