NPM is flagging there’s a critical vulnerability in the aws-cdk package from vm2 - issue here I’m not actually directly referencing specifically aws-cdk, and I have to be honest, it’s not clear to me how AWS is now doing its dependencies in regard to @aws-cdk, aws-cdk-lib etc. I’m wondering if an update to a later version of the aws-cdk (and therefore @aws-cdk/aws-apigatewayv2-authorizers-alpha etc) would resolve this? More generally, what’s the release strategy for new versions of aws-cdk-lib?

Hey @Ross Coundon, I ran a dependency check and the dep tree for vm2 looks like

@serverless-stack/cli@0.60.8
└─┬ aws-cdk@2.7.0
  └─┬ proxy-agent@5.0.0
    └─┬ pac-proxy-agent@5.0.0
      └─┬ pac-resolver@5.0.0
        └─┬ degenerator@3.0.1
          └── vm2@3.9.5

degenerator

fixed the

vm2

vulnerability in

3.0.2

, but

pac-resolver

hasn’t updated its dep to use the newew

degenerator

.

Stupid question but if the vulnerable dependency is in:

@serverless-stack/cli@0.60.8

then can this not just be put in

devDepenendancies

? If its in

devDepenencies

npm audit won't flag it. But more importantly the vulnerable code won't be in your production app so effectively the risk will be managed.

@thdxr as you are working on cleaning up the dependencies, should we move the

cli

to

devDependencies

in our templates?

I actually did this in the PR today, I moved all sst stuff into dev deps