Comments (2)
Hi Josh,
Thanks for raising this. I'll have a look.
Do you have any concerns about this in the context of this plugin?
I am no expert in security, but my thinking is that this plugin is meant to be a dev dependency that runs on a local machine/CI/CD pipeline. So I would not worry too much about it.
With that said, we probably could get rid of that dependency. $merge
is only used here. I'm sure we could find a replacement for it.
from serverless-appsync-plugin.
I am no expert in security, but my thinking is that this plugin is meant to be a dev dependency that runs on a local machine/CI/CD pipeline. So I would not worry too much about it.
We worry about the security of our CI/CD pipeline, since it handles valuable credentials to our cloud hosting environment and codebase. Not to mention that we would like to trust the generated artifacts.
Do you have any concerns about this in the context of this plugin?
As far as I understand, there could only possibly be an actual vulnerability if untrusted input can somehow reach the $merge
. I don't think that is possible in my environment. So the issue is really just a nuisance. In my case, I will have to report the alert and explain why it isn't important to some of our customers.
If you want, I could publish a patched version of ajv-merge-patch. Solving the alert there is trivial. serverless-appsync-plugin could upgrade to use the patched replacement for ajv-merge-patch.
from serverless-appsync-plugin.
Related Issues (20)
- serverless-plugin-split-stacks: AppSync Api not found in stack. Did you forget to deploy? HOT 10
- Single AppSync Api - Multi CloudFormation Stacks - Concurrency issue HOT 17
- TypeError: Cannot read properties of undefined (reading 'schema') HOT 1
- Validation does not match types ( request and response in resolverConfig )
- AppSync Arn reference error HOT 1
- UPDATE_FAILED: GraphQlSchema Property Validation Failure
- Subscription Type Error HOT 1
- Feature Request: Merged Api Support HOT 3
- Can't separate appsync into different file HOT 2
- v2.3.0 Update Drops/Recreates API HOT 3
- TypeError: Cannot read properties of undefined (reading 'schema') HOT 2
- Is the latest version not compatible with previous configuration? HOT 1
- Update existing app sync using appId
- Undefined Error using resolvers directive HOT 2
- Javascript resolvers supported now by AWS as Unit resolvers but not by the plugin HOT 5
- Upgrading from V1 > V2 drops + creates new API (breaks existing integrations) HOT 11
- The code contains one or more errors.. (Service: AWSAppSync; Status Code: 400; Error Code: BadRequestException, Proxy: null)
- appSync.logging.roleArn is not being detected when present
- get on the box,
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from serverless-appsync-plugin.