[Aikido] Fix 4 security issues in axios, fast-uri, aws-cdk-lib#1722
Open
aikido-autofix[bot] wants to merge 2 commits into
Open
[Aikido] Fix 4 security issues in axios, fast-uri, aws-cdk-lib#1722aikido-autofix[bot] wants to merge 2 commits into
aikido-autofix[bot] wants to merge 2 commits into
Conversation
Contributor
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrade axios, fast-uri, and aws-cdk-lib to fix credential leakage on redirects, URL validation bypass, IDN canonicalization, and command injection vulnerabilities.
✅ Code not affected by breaking changes.
✅ No breaking changes from either package upgrade affect this codebase:
axios (1.16.1 => 1.18.0): All
validateStatususages provide explicit functions rather thanundefined, and all HTTP/HTTPS URLs are properly formatted with//.aws-cdk-lib (2.257.0 => 2.260.0): The codebase does not use PCAConnectorAD resources, does not use
Runtime.NODEJS_LATEST, and all Lambda handlers use async/await patterns rather than callback-style handlers.All breaking changes by upgrading axios from version 1.16.1 to 1.18.1 (CHANGELOG)
http:andhttps:URLs that omit//are now rejected withERR_INVALID_URL, whereas they may have been accepted previously.validateStatus: undefinedbehavior changed to require opt-in viatransitional.validateStatusUndefinedResolvesto be treated like the option was omitted; without the opt-in, the behavior differs from previous versions.All breaking changes by upgrading aws-cdk-lib from version 2.257.0 to 2.260.0 (CHANGELOG)
✅ 4 CVEs resolved by this upgrade
This PR will resolve the following CVEs:
X-API-Keyand AWS tokens to unintended hosts, allowing attackers to steal sensitive authentication data. This information disclosure vulnerability affects shared environments where secret headers are set by default.//(e.g.,https:internal.example) were silently normalized instead of rejected, allowing attackers to bypass URL allowlists or WAF checks and reach unintended hosts. The fix now throws an error for invalid scheme URLs before normalization.🤖 Remediation details
Fix security vulnerabilities in axios, fast-uri, and aws-cdk-lib
This PR remediates security vulnerabilities in three packages — axios, fast-uri, and aws-cdk-lib — by bumping declared versions in workspace member
package.jsonfiles and refreshing the rootyarn.lockvia Yarn Berry's lockfile-update mode. Noresolutionsoverrides were required.axios
axioswas resolved at1.16.1as a transitive dependency ofnx@20.8.4(declared range^1.8.3), which falls within the vulnerable range. Becausenx's existing range already admitted1.18.x, no manifest edit was needed; ayarn up -R axios --mode=update-lockfilelockfile refresh was sufficient to pull the resolved version up to1.18.1. The two previously separate lockfile entries (axios@npm:^1.8.3at1.16.1andaxios@npm:^1.18.0at1.18.0) were consolidated into a single entry at1.18.1.fast-uri
fast-uriwas resolved at3.1.2as a transitive dependency ofajv@8.18.0(declared range^3.0.1), placing it in the vulnerable range. The parent's existing range already permitted3.1.3, so ayarn up -R fast-uri --mode=update-lockfilelockfile refresh was sufficient to advance the resolved version to3.1.3without any manifest change.aws-cdk-lib
aws-cdk-libwas resolved at2.257.0, within the vulnerable range, pulled in by three workspace packages —@aligent/cdk-domain-hosting,@aligent/cdk-esbuild, and@aligent/cdk-static-hosting— each declaring^2.257.0. Because the lower bound of that range (2.257.0) is itself vulnerable, the declared spec in each workspacepackage.jsonwas raised to^2.260.0to enforce a safe semver floor. A subsequentyarn install --mode=update-lockfileresolved the package to2.260.0and also updated the associated@aws-cdk/*asset and assembly packages that ship alongside eachaws-cdk-librelease.Version changes
axios1.16.11.18.1nx@^1.8.3fast-uri3.1.23.1.3ajv@^3.0.1aws-cdk-lib2.257.0(^2.257.0)2.260.0(^2.260.0)@aws-cdk/asset-awscli-v12.2.2732.2.282aws-cdk-libbump@aws-cdk/asset-node-proxy-agent-v62.1.12.1.2aws-cdk-libbump@aws-cdk/cloud-assembly-api2.2.42.2.6aws-cdk-libbump