Possible vulnerability CVE-2021-4279 because of ajv-merge-patch / fast-json-patch about serverless-appsync-plugin HOT 2 OPEN

Hi Josh,

Thanks for raising this. I'll have a look.

Do you have any concerns about this in the context of this plugin?

I am no expert in security, but my thinking is that this plugin is meant to be a dev dependency that runs on a local machine/CI/CD pipeline. So I would not worry too much about it.

With that said, we probably could get rid of that dependency. $merge is only used here. I'm sure we could find a replacement for it.

from serverless-appsync-plugin.

I am no expert in security, but my thinking is that this plugin is meant to be a dev dependency that runs on a local machine/CI/CD pipeline. So I would not worry too much about it.

We worry about the security of our CI/CD pipeline, since it handles valuable credentials to our cloud hosting environment and codebase. Not to mention that we would like to trust the generated artifacts.

Do you have any concerns about this in the context of this plugin?

As far as I understand, there could only possibly be an actual vulnerability if untrusted input can somehow reach the $merge. I don't think that is possible in my environment. So the issue is really just a nuisance. In my case, I will have to report the alert and explain why it isn't important to some of our customers.

If you want, I could publish a patched version of ajv-merge-patch. Solving the alert there is trivial. serverless-appsync-plugin could upgrade to use the patched replacement for ajv-merge-patch.

from serverless-appsync-plugin.