Skip to content

fix: resolve high-severity npm audit vulnerabilities#1184

Merged
tejaskash merged 2 commits intoaws:mainfrom
Hweinstock:fix/npm-audit-vulnerabilities
May 8, 2026
Merged

fix: resolve high-severity npm audit vulnerabilities#1184
tejaskash merged 2 commits intoaws:mainfrom
Hweinstock:fix/npm-audit-vulnerabilities

Conversation

@Hweinstock
Copy link
Copy Markdown
Contributor

@Hweinstock Hweinstock commented May 8, 2026
edited
Loading

Description

Run npm audit fix and remove stale overrides to resolve all production dependency vulnerabilities:

  • fast-xml-builder (high): attribute value quote bypass (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc)
  • fast-uri (high): path traversal via percent-encoded dot segments (GHSA-q3j6-qgpj-74h6)
  • uuid (moderate): missing buffer bounds check (GHSA-w5hq-g745-h8pq)
  • fast-xml-parser (moderate): XML comment/CDATA injection (GHSA-gh4j-gqv2-49f6) — resolved by removing stale fast-xml-parser and @aws-sdk/xml-builder overrides, allowing natural resolution to fast-xml-parser@5.7.2 via @aws-sdk/xml-builder@3.972.22

The only remaining fast-uri@3.1.0 is bundled inside aws-cdk-lib (dev dependency), excluded by --omit=dev.

npm run security:audit now reports 0 vulnerabilities.

Related Issue

N/A — security maintenance

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Other (please describe):

Testing

How have you tested the change?

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

@Hweinstock
fix: resolve high-severity npm audit vulnerabilities
fde6060 
Run npm audit fix to address:
- fast-xml-builder: attribute value quote bypass (high)
- fast-uri: path traversal via percent-encoded dot segments (high, prod dep)
- uuid: missing buffer bounds check (moderate)

Remaining moderate vulnerabilities are in @aws-sdk transitive deps
(fast-xml-parser < 5.7.0) which require upstream SDK updates.
@github-actions github-actions Bot added size/xs PR size: XS agentcore-harness-reviewing AgentCore Harness review in progress labels May 8, 2026
@Hweinstock Hweinstock mentioned this pull request May 8, 2026
Merged
15 tasks
agentcore-cli-automation
agentcore-cli-automation suggested changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown

@agentcore-cli-automation agentcore-cli-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the audit fix. The three high-severity bumps (fast-xml-builder, fast-uri, uuid) are legit — I verified each against the linked GHSAs and confirmed the top-level resolutions in the lockfile land on patched versions. All CI checks are green and the change is lockfile-only.

One substantive point worth addressing before merging:

The fast-xml-parser / @aws-sdk/xml-builder overrides in package.json (lines 151–159) are now stale and can be dropped as part of this PR

The overridesComments in package.json explicitly describe when each override should be removed:

  • fast-xml-parser → "Remove once @aws-sdk updates to fast-xml-parser >=5.5.7."
  • @aws-sdk/xml-builder → "Remove once @aws-sdk/client-* deps are bumped past 3.972.14."

Both conditions are now met by this PR's transitive bumps. Specifically, @aws-sdk/core goes from 3.974.63.974.8, which now requires @aws-sdk/xml-builder ^3.972.22. Published @aws-sdk/xml-builder@3.972.22 pins fast-xml-parser: 5.7.2, which in turn fixes the remaining medium advisory (GHSA-gh4j-gqv2-49f6, vulnerable range < 5.7.0).

Concrete consequences of leaving the overrides in place:

  1. Semver mismatch in the lockfile. Line 2148 of the new package-lock.json records @aws-sdk/core@3.974.8 as requiring "@aws-sdk/xml-builder": "^3.972.22", but the override pins the actually-installed tree to 3.972.15 (line 2892). It works because overrides win, but it's a real downgrade away from what @aws-sdk/core expects.
  2. Residual medium CVE. fast-xml-parser@5.5.7 is still vulnerable to GHSA-gh4j-gqv2-49f6. The PR description attributes remaining moderates to upstream not having shipped yet — but the upstream fix has in fact shipped, and the override is the only thing preventing us from picking it up.

Options:

  • (preferred) Remove both fast-xml-parser and @aws-sdk/xml-builder entries from both overrides and overridesComments in package.json, then regenerate the lockfile. This should pull in @aws-sdk/xml-builder@3.972.22 and fast-xml-parser@5.7.2 and fully clear the xml-related advisories (including the medium).
  • Or, if there's a reason to stay on these pinned versions for now, at least bump the @aws-sdk/xml-builder override from 3.972.15 to 3.972.22 so it matches what @aws-sdk/core@3.974.8 requests, and bump fast-xml-parser from 5.5.7 to 5.7.2 to clear the medium advisory. The original justifications for the overrides are all satisfied at those versions.
  • Or, keep as-is and update the PR description to acknowledge the remaining medium comes from a stale in-repo override rather than unshipped upstream work — but this seems strictly worse than either option above.

Also a minor note for the description (non-blocking): the residual fast-uri@3.1.0 shows up as a bundled dep inside aws-cdk-lib (see node_modules/aws-cdk-lib/node_modules/fast-uri in the lockfile), not via @aws-sdk. It's filtered out by --omit=dev so it doesn't break the audit gate, but the description attributes it to the wrong place.

Comment thread package-lock.json
@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label May 8, 2026
@Hweinstock
fix: remove stale fast-xml-parser and @aws-sdk/xml-builder overrides
a46fe2d 
Both override conditions are now met by upstream:
- @aws-sdk/xml-builder@3.972.22 pins fast-xml-parser@5.7.2
- @aws-sdk/core@3.974.8 requires @aws-sdk/xml-builder ^3.972.22

Removing the overrides allows the natural resolution to pick up
the patched versions, clearing the remaining moderate advisory
(GHSA-gh4j-gqv2-49f6, fast-xml-parser < 5.7.0).

security:audit now reports 0 vulnerabilities (--omit=dev).
@Hweinstock Hweinstock closed this May 8, 2026
@github-actions github-actions Bot added size/xs PR size: XS and removed size/xs PR size: XS labels May 8, 2026
@Hweinstock Hweinstock reopened this May 8, 2026
@github-actions github-actions Bot added size/xs PR size: XS agentcore-harness-reviewing AgentCore Harness review in progress and removed size/xs PR size: XS labels May 8, 2026
agentcore-cli-automation
agentcore-cli-automation approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown

@agentcore-cli-automation agentcore-cli-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for following up on the override cleanup. Commit a46fe2d does exactly what the prior review asked for:

  • Removes fast-xml-parser and @aws-sdk/xml-builder from both overrides and overridesComments in package.json (lines 150–157 now match the remaining override set).
  • Regenerates the lockfile so @aws-sdk/xml-builder@3.972.22 (what @aws-sdk/core@3.974.8 actually requests) and fast-xml-parser@5.7.2 resolve naturally, which also clears the residual medium advisory GHSA-gh4j-gqv2-49f6.

Verification on the new lockfile:

  • Top-level fast-xml-parser@5.7.2, fast-xml-builder@1.2.0, fast-uri@3.1.2, uuid@11.1.1, @aws-sdk/xml-builder@3.972.22, @aws-sdk/core@3.974.8 — all patched against the linked GHSAs.
  • The only remaining fast-uri@3.1.0 copy is nested under node_modules/aws-cdk-lib/node_modules/fast-uri and is marked dev: true in the lockfile, so it's correctly excluded by security:audit (npm audit --audit-level=high --omit=dev).
  • No other overrides are stale — minimatch and glob still have the upstream pinning reasons described in overridesComments.

Core CI on the latest SHA is green (lint, typecheck, security, format, unit-test 1/3, 2/3, 3/3, secrets, schema-check, CodeQL). The still-pending/failing entries in gh pr checks are either cancelled runs from the earlier commit or jobs still in progress.

One non-blocking nit (same as flagged in the previous review): the PR description still says "Remaining moderate vulnerabilities are in @aws-sdk transitive deps (fast-xml-parser < 5.7.0) which require upstream SDK updates" — this is now out of date since this PR does in fact pull in fast-xml-parser@5.7.2. Worth updating the description before merge, but not a code change.

LGTM.

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label May 8, 2026
@Hweinstock Hweinstock marked this pull request as ready for review May 8, 2026 18:04
@Hweinstock Hweinstock requested a review from a team May 8, 2026 18:04
@tejaskash tejaskash merged commit 715a5a2 into aws:main May 8, 2026
33 of 46 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tejaskash tejaskash tejaskash approved these changes

+1 more reviewer

@agentcore-cli-automation agentcore-cli-automation agentcore-cli-automation approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/xs PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Hweinstock @tejaskash @agentcore-cli-automation