some critical dependency checks due to package cls-hooked and async-hook-jl

[00cloudtica]

our vulnerability scans report the following critical findings ("aws-xray-sdk": "3.3.4"):

https://nvd.nist.gov/vuln/detail/CVE-2019-10744
https://nvd.nist.gov/vuln/detail/CVE-2021-23807
https://security.snyk.io/vuln/SNYK-JS-JSONPOINTER-598804
https://security.snyk.io/vuln/SNYK-JS-LODASH-590103
GHSA-jf85-cpcp-j695

These are due to jsonpointer + lodash

Coming from package async-hook-jl@1.7.6:
npm list --prod --all | less

├─┬ aws-xray-sdk@3.3.4
│ ├─┬ aws-xray-sdk-core@3.3.4
│ │ ├── @aws-sdk/service-error-classification@3.53.0 deduped
│ │ ├── @aws-sdk/types@3.53.0 deduped
│ │ ├─┬ @types/cls-hooked@4.3.3
│ │ │ └── @types/node@14.18.12 deduped
│ │ ├── atomic-batcher@1.0.2
│ │ ├─┬ cls-hooked@4.2.2
│ │ │ ├─┬ async-hook-jl@1.7.6
...

[willarmiros]

Hi @00cloudtica,

Can you provide a complete output of the dependency list you're seeing? aws-xray-sdk-core doesn't have a dependency on lodash AFAIK. Furthermore, the package you called out, async-hook-jl, only has 1 dependency total according to its NPM page: https://www.npmjs.com/package/async-hook-jl

[00cloudtica]

Hi @willarmiros

Thanks for the fast response
I've just double checked, looks like a false positive, simply coming from file contents:
usr/src/app/node_modules/async-hook-jl/yarn.lock

SNYK report:
Affected packages
Name jsonpointer
Version 0:4.0.1
Package manager YARN
File path usr/src/app/node_modules/async-hook-jl/yarn.lock

Conclusion: false positive, I can/will suppress within tooling