Skip to content

Node security updates#34

Open
erm156 wants to merge 2 commits into
2.3.3from
node-security-updates
Open

Node security updates#34
erm156 wants to merge 2 commits into
2.3.3from
node-security-updates

Conversation

@erm156
Copy link
Copy Markdown

@erm156 erm156 commented May 7, 2026
edited
Loading

  • addresses vulnerabilities detected in Trivy scan that caused build to fail
┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬─────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                            Title                            │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤
│ fast-xml-parser (package.json) │ CVE-2026-33036 │ HIGH     │ fixed  │ 5.4.1             │ 5.5.6, 4.5.5        │ fast-xml-parser: fast-xml-parser: Denial of Service via XML │
│                                │                │          │        │                   │                     │ entity expansion bypass                                     │
│                                │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-33036                  │
├────────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤
│ flatted (package.json)         │ CVE-2026-33228 │          │        │ 3.4.1             │ 3.4.2               │ flatted: Flatted: Prototype pollution vulnerability allows  │
│                                │                │          │        │                   │                     │ arbitrary code execution via crafted JSON....               │
│                                │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-33228                  │
├────────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤
│ path-to-regexp (package.json)  │ CVE-2026-4867  │          │        │ 0.1.12            │ 0.1.13              │ path-to-regexp: path-to-regexp: Denial of Service via       │
│                                │                │          │        │                   │                     │ catastrophic backtracking from malformed URL parameters...  │
│                                │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-4867                   │
├────────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤
│ picomatch (package.json)       │ CVE-2026-33671 │          │        │ 4.0.3             │ 4.0.4, 3.0.2, 2.3.2 │ picomatch: Picomatch: Regular Expression Denial of Service  │
│                                │                │          │        │                   │                     │ via crafted extglob patterns                                │
│                                │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-33671                  │
├────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤
│ protobufjs (package.json)      │ CVE-2026-41242 │ CRITICAL │        │ 7.5.4             │ 8.0.1, 7.5.5        │ protobufjs: protobufjs: Arbitrary code execution via        │
│                                │                │          │        │                   │                     │ injected protobuf definition type fields                    │
│                                │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-41242                  │
├────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤
│ underscore (package.json)      │ CVE-2026-27601 │ HIGH     │        │ 1.13.3            │ 1.13.8              │ Underscore.js: Underscore.js: Denial of Service via         │
│                                │                │          │        │                   │                     │ recursive data structures in flatten and...                 │
│                                │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-27601                  │
├────────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤
│ undici (package.json)          │ CVE-2026-1526  │          │        │ 7.22.0            │ 6.24.0, 7.24.0      │ undici: undici: Denial of Service via unbounded memory      │
│                                │                │          │        │                   │                     │ consumption during WebSocket permessage-deflate...          │
│                                │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-1526                   │
│                                ├────────────────┤          │        │                   │                     ├─────────────────────────────────────────────────────────────┤
│                                │ CVE-2026-1528  │          │        │                   │                     │ undici: undici: Denial of Service via crafted WebSocket     │
│                                │                │          │        │                   │                     │ frame with large length...                                  │
│                                │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-1528                   │
│                                ├────────────────┤          │        │                   │                     ├─────────────────────────────────────────────────────────────┤
│                                │ CVE-2026-2229  │          │        │                   │                     │ undici: Undici: Denial of Service via invalid WebSocket     │
│                                │                │          │        │                   │                     │ permessage-deflate extension parameter                      │
│                                │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-2229                   │
└────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴─────────────────────────────────────────────────────────────┘

@erm156 erm156 requested a review from Copilot May 7, 2026 23:57
Copilot AI reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Node dependencies to address Trivy-detected vulnerabilities and migrates CloudFront URL signing away from the deprecated aws-sdk v2 package.

Changes:

  • Remove aws-sdk v2 usage and switch CloudFront URL signing to @aws-sdk/cloudfront-signer.
  • Upgrade express-mysql-session to v3 and morgan to v1.10.
  • Adjust CloudFront URL expiration handling to the new signer API (dateLessThan).

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File Description
package.json Replaces/updates dependencies to address security findings (adds CloudFront signer; upgrades session store + logging).
connectors/cloudFrontConnector.js Migrates CloudFront signed URL generation from AWS SDK v2 signer to AWS SDK v3 CloudFront signer.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread connectors/cloudFrontConnector.js
const {getFileLocation} = require("../model");

function getExpiration() {
const expiresInSeconds = config.urlExpiresInSeconds || DEFAULT_EXPIRATION_SECONDS;
Comment thread package.json
Comment on lines 11 to 15
"dependencies": {
"@aws-sdk/client-s3": "^3.67.0",
"@aws-sdk/s3-request-presigner": "^3.67.0",
"aws-sdk": "^2.906.0",
"@aws-sdk/cloudfront-signer": "^3.0.0",
"bent": "^7.3.12",
@erm156 erm156 requested a review from AustinSMueller May 8, 2026 00:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@AustinSMueller AustinSMueller Awaiting requested review from AustinSMueller

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@erm156