Comments (4)
This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon. If you wish to exclude this issue from being marked as stale, add the "backlog" label.
from aws-cdk-github-oidc.
@igibek Hello!
Can you please share more details about this vulnerability? We plan to use this library in our project, so we want to make sure it doesn't contain any major security bugs.
Thanks in advance!
from aws-cdk-github-oidc.
@igibek the private vulnerability reporting has now been enabled.
@shirk3ysiili I'm pretty sure that the vulnerability is one of the dependency vulnerabilities found also by DependaBot alerts (as often these kinds of issues are opened automatically by security research companies when they run security analysis tools that can be compared to DependaBot). Unfortunately I've missed those as DependaBot PRs haven't been enabled for some reason (they were previously, not sure what happened, maybe I've accidentally disabled those)
- At really quick glance it seems the vulnerabilities seem not to affect the deployed configurations any way, but instead require that some untrusted code would be calling the affected dependencies of this construct (which shouldn't be the case when you're running CDK in a trusted environment)
- That being said, I'll patch these soon: #25
from aws-cdk-github-oidc.
I'm closing this issue as the original issue (enabling private vuln reporting) is done and also the current vulns are now patched via #28
from aws-cdk-github-oidc.
Related Issues (15)
- CDK v2 support HOT 2
- Github Thumbprints can be ommited HOT 3
- is there an example of how to use it? to deploy to my aws? HOT 3
- Constructs are not taggable HOT 2
- Stale GitHub thumbprints HOT 7
- Patch vulnerable dependencies
- Deprecate support for CDK v1
- Deprecate NodeJS v14 LTS and upgrade to v16 LTS
- Fix Go deployment HOT 1
- Remove hardcoded (and now obsolete) GitHub thumbprints
- Fix the NodeJS version in projenrc/nvmrc
- Feature: allow setting an array of filters (subjects) HOT 1
- Use jsii-struct-builder to produce iam-role-props.ts
- Feature: support partitions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-cdk-github-oidc.