Skip to content

[Aikido] Fix 4 security issues in lodash, js-yaml, @asyncapi/parser and 7 more#21

Closed
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-14983361-iQef
Closed

[Aikido] Fix 4 security issues in lodash, js-yaml, @asyncapi/parser and 7 more#21
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-14983361-iQef

Conversation

@aikido-autofix
Copy link

@aikido-autofix aikido-autofix bot commented Jan 29, 2026

Upgrades multiple dependencies to address prototype pollution, YAML parsing, and AWS SDK configuration vulnerabilities that could enable remote code execution and improper API routing.

✅ Code not affected by breaking changes.

No breaking changes from either package upgrade affect this codebase.

js-yaml (3.14.1 => 4.1.1):

  • The codebase does not directly import or use js-yaml

  • js-yaml is only used as a transitive dependency through @asyncapi/parser@2.1.2

  • The installed version of @asyncapi/parser@2.1.2 already depends on js-yaml@^4.1.0

  • The package.json includes an override forcing js-yaml@<=4.1.1 to use version 4.1.1, meaning the codebase is already using js-yaml 4.x

  • No code uses deprecated methods like safeLoad, safeDump, DEFAULT_SAFE_SCHEMA, or Schema.create

@smithy/config-resolver (3.0.12 => 4.4.0):

  • This package is not directly used in the codebase

  • It appears only as a transitive dependency in AWS SDK packages

  • The codebase does not import or use any AWS SDK packages

  • The breaking change (dropping Node.js 16 support) is not relevant since the package is not directly used

✅ 4 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2025-13465
 
MEDIUM
 Prototype pollution vulnerability in Lodash allows attackers to delete methods from global object prototypes via crafted paths in _.unset and _.omit, potentially disrupting application behavior. 
CVE-2025-64718
 
MEDIUM
 Prototype pollution vulnerability in js-yaml allows attackers to modify object prototypes when parsing untrusted YAML, potentially leading to remote code execution or other critical security impacts. 
AIKIDO-2025-10809
 
MEDIUM
 Prototype Pollution vulnerability in YAML parsing allows attackers to inject malicious properties into object prototypes, potentially leading to remote code execution, DoS, or other security breaches through crafted input. 
GHSA-6475-r3vj-m8vf
 
LOW
 Potential misconfiguration in AWS SDK allows improper routing of API calls by setting invalid region values, which could lead to unintended endpoint connections or misrouted service requests.

@vercel
Copy link

vercel bot commented Jan 29, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cash-register-api-example-client Error Error Jan 29, 2026 11:44pm

Request Review

aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Jan 29, 2026
View reviewed changes
example-client/package-lock.json
Copy link

@aikido-pr-checks aikido-pr-checks bot Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 Open source vulnerabilities detected - high severity
Aikido detected 3 vulnerabilities across 2 packages, it includes 2 high and 1 low vulnerabilities.

Remediation Aikido suggests bumping the vulnerable packages to a safe version.
View details in Aikido Security

@aikido-autofix aikido-autofix bot closed this Feb 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

Comments