some critical dependency checks due to package cls-hooked and async-hook-jl
00cloudtica opened this issue · 2 comments
our vulnerability scans report the following critical findings ("aws-xray-sdk": "3.3.4"):
https://nvd.nist.gov/vuln/detail/CVE-2019-10744
https://nvd.nist.gov/vuln/detail/CVE-2021-23807
https://security.snyk.io/vuln/SNYK-JS-JSONPOINTER-598804
https://security.snyk.io/vuln/SNYK-JS-LODASH-590103
GHSA-jf85-cpcp-j695
These are due to jsonpointer + lodash
Coming from package async-hook-jl@1.7.6:
npm list --prod --all | less
├─┬ aws-xray-sdk@3.3.4
│ ├─┬ aws-xray-sdk-core@3.3.4
│ │ ├── @aws-sdk/service-error-classification@3.53.0 deduped
│ │ ├── @aws-sdk/types@3.53.0 deduped
│ │ ├─┬ @types/cls-hooked@4.3.3
│ │ │ └── @types/node@14.18.12 deduped
│ │ ├── atomic-batcher@1.0.2
│ │ ├─┬ cls-hooked@4.2.2
│ │ │ ├─┬ async-hook-jl@1.7.6
...
Hi @00cloudtica,
Can you provide a complete output of the dependency list you're seeing? aws-xray-sdk-core
doesn't have a dependency on lodash
AFAIK. Furthermore, the package you called out, async-hook-jl
, only has 1 dependency total according to its NPM page: https://www.npmjs.com/package/async-hook-jl
Hi @willarmiros
Thanks for the fast response
I've just double checked, looks like a false positive, simply coming from file contents:
usr/src/app/node_modules/async-hook-jl/yarn.lock
SNYK report:
Affected packages
Name jsonpointer
Version 0:4.0.1
Package manager YARN
File path usr/src/app/node_modules/async-hook-jl/yarn.lock
Conclusion: false positive, I can/will suppress within tooling