Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@cdktf/cli-core: Zod denial of service vulnerability #3195

Closed
1 task
xiehan opened this issue Oct 17, 2023 · 1 comment · Fixed by #3200
Closed
1 task

@cdktf/cli-core: Zod denial of service vulnerability #3195

xiehan opened this issue Oct 17, 2023 · 1 comment · Fixed by #3200
Labels
bug Something isn't working

Comments

@xiehan
Copy link
Member

xiehan commented Oct 17, 2023

Expected Behavior

Installing CDKTF does not generate security alerts on my repository.

Actual Behavior

https://github.com/hashicorp/cdktf-aws-cdk/security/dependabot/86

Steps to Reproduce

  1. Turn on Dependabot security alerts on your repository
  2. Install cdktf-cli in your project and push
  3. Watch the security alert get created

Versions

cdktf-cli: 0.19.0

Providers

No response

Gist

No response

Possible Solutions

Upgrade the dependency on zod in @cdktf/cli-core to version ^3.22.3.

Workarounds

No response

Anything Else?

This vulnerability is classified as Low severity, but we should still be good citizens and try to address this as part of our next patch release.

References

Help Wanted

  • I'm interested in contributing a fix myself

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@xiehan xiehan added bug Something isn't working new Un-triaged issue labels Oct 17, 2023
DanielMSchmidt added a commit that referenced this issue Oct 20, 2023
@DanielMSchmidt
chore: update zod
1551a37 
Fixes #3195
@DanielMSchmidt DanielMSchmidt mentioned this issue Oct 20, 2023
Merged
github-merge-queue bot pushed a commit that referenced this issue Nov 2, 2023
@DanielMSchmidt
chore: update zod
8342547 
Fixes #3195
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 3, 2023

I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues. If you've found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 3, 2023
@DanielMSchmidt DanielMSchmidt removed the new Un-triaged issue label Jan 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: update zod hashicorp/terraform-cdk
2 participants
@xiehan @DanielMSchmidt