Skip to content

[Aikido] Fix 3 security issues in @aws-sdk/client-sts, @aws-sdk/client-cloudfront, @aws-sdk/client-sso-oidc and 2 more#18

Closed
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-14410894-wtwL
Closed

[Aikido] Fix 3 security issues in @aws-sdk/client-sts, @aws-sdk/client-cloudfront, @aws-sdk/client-sso-oidc and 2 more#18
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-14410894-wtwL

Conversation

@aikido-autofix
Copy link

@aikido-autofix aikido-autofix bot commented Jan 22, 2026

Upgrades AWS SDK and js-yaml to mitigate prototype pollution vulnerabilities that could lead to remote code execution and object prototype manipulation.

✅ Code not affected by breaking changes.

The breaking change in @smithy/config-resolver (dropping Node.js 16 support) does not affect this codebase because:

  1. The codebase already uses Node.js 18+: The example-client/README.md explicitly states "You need NodeJS 18+" as a requirement.

  2. The package is already upgraded: The package-lock.json shows that @smithy/config-resolver version 4.4.6 is already installed (which is newer than the target version 4.4.0), and it requires "node": ">=18.0.0".

  3. No direct usage in source code: The package is only used as a transitive dependency (through AWS SDK packages) and is not directly imported in any TypeScript/JavaScript source files.

Since the project already requires and uses Node.js 18+, the dropped support for Node.js 16 in version 4.0.0+ has no impact on this codebase.

✅ 3 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2025-64718
 
MEDIUM
 Prototype pollution vulnerability in js-yaml allows attackers to modify object prototypes when parsing untrusted YAML, potentially leading to remote code execution or other critical security impacts. 
AIKIDO-2025-10809
 
MEDIUM
 Prototype Pollution vulnerability in YAML parsing allows attackers to inject malicious properties into object prototypes, potentially leading to remote code execution, DoS, or other security breaches through crafted input. 
GHSA-6475-r3vj-m8vf
 
LOW
 An attacker could manipulate the region input field in AWS SDK for JavaScript, potentially routing API calls to unintended or non-AWS hosts, risking improper service configuration and potential security misrouting.

@vercel
Copy link

vercel bot commented Jan 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
cash-register-api-example-client Error Error Jan 22, 2026 11:45pm

Request Review

@aikido-autofix aikido-autofix bot closed this Jan 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

Comments