Dependency Vulnerabilities Report

This document lists security vulnerabilities identified in project dependencies through pnpm audit. These issues require remediation to maintain a secure codebase.

High Severity Vulnerabilities

1. Prototype Pollution in SheetJS (xlsx)

• Severity: High
• Package: xlsx
• Vulnerable versions: < 0.19.3
• Patched versions: >= 0.19.3
• Affected paths: Multiple paths in b4m-core utils
• Advisory link: https://github.com/advisories/GHSA-4r6h-8v6p-xvw6
• Remediation: Update xlsx to version 0.19.3 or later

2. Regular Expression Denial of Service (ReDoS) in SheetJS (xlsx)

• Severity: High
• Package: xlsx
• Vulnerable versions: < 0.20.2
• Patched versions: >= 0.20.2
• Affected paths: Multiple paths in b4m-core utils
• Advisory link: https://github.com/advisories/GHSA-5pgg-2g8v-p4x9
• Remediation: Update xlsx to version 0.20.2 or later

3. SSRF and Credential Leakage in axios

• Severity: High
• Package: axios
• Vulnerable versions: >= 1.0.0 < 1.8.2
• Patched versions: >= 1.8.2
• Affected paths: packages/client > axios@1.7.9
• Advisory link: https://github.com/advisories/GHSA-jr5f-v2jv-69x6
• Remediation: Update axios to version 1.8.2 or later

Moderate Severity Vulnerabilities

1. esbuild Development Server CORS Vulnerability

• Severity: Moderate
• Package: esbuild
• Vulnerable versions: <= 0.24.2
• Patched versions: >= 0.25.0
• Affected paths: Multiple paths via sst@2.43.3
• Advisory link: https://github.com/advisories/GHSA-67mh-4wv8-2f99
• Remediation: Update esbuild to version 0.25.0 or later

2. PrismJS DOM Clobbering Vulnerability

• Severity: Moderate
• Package: prismjs
• Vulnerable versions: < 1.30.0
• Patched versions: >= 1.30.0
• Affected paths: Via react-syntax-highlighter
• Advisory link: https://github.com/advisories/GHSA-x7hr-w5r2-h6wg
• Remediation: Update prismjs to version 1.30.0 or later

3. Babel RegExp Complexity Issue with Named Capture Groups

• Severity: Moderate
• Package: @babel/runtime and @babel/helpers
• Vulnerable versions: < 7.26.10
• Patched versions: >= 7.26.10
• Affected paths: Multiple paths via mathjs and other dependencies
• Advisory link: https://github.com/advisories/GHSA-968p-4wvh-cqc8
• Remediation: Update @babel packages to version 7.26.10 or later

4. Fast-JWT Improper Validation of Issuer Claims

• Severity: Moderate
• Package: fast-jwt
• Vulnerable versions: < 5.0.6
• Patched versions: >= 5.0.6
• Affected paths: Via sst@2.43.3
• Advisory link: https://github.com/advisories/GHSA-gm45-q3v2-6cf8
• Remediation: Update fast-jwt to version 5.0.6 or later

5. AWS CDK Sensitive Information Logging

• Severity: Moderate
• Package: aws-cdk-lib
• Vulnerable versions: >= 2.37.0 < 2.187.0
• Patched versions: >= 2.187.0
• Affected paths: Via sst@2.43.3
• Advisory link: https://github.com/advisories/GHSA-qq4x-c6h6-rfxh
• Remediation: Update aws-cdk-lib to version 2.187.0 or later

Low Severity Vulnerabilities

1. AWS CDK IAM OIDC Custom Resource Issue

• Severity: Low
• Package: aws-cdk-lib
• Vulnerable versions: < 2.177.0
• Patched versions: >= 2.177.0
• Affected paths: Via sst@2.43.3
• Advisory link: https://github.com/advisories/GHSA-v4mq-x674-ff73
• Remediation: Update aws-cdk-lib to version 2.177.0 or later

2. AWS CDK CodePipeline Overly Broad Trusted Entities

• Severity: Low
• Package: aws-cdk-lib
• Vulnerable versions: < 2.189.0
• Patched versions: >= 2.189.0
• Affected paths: Via sst@2.43.3
• Advisory link: https://github.com/advisories/GHSA-5pq3-h73f-66hr
• Remediation: Update aws-cdk-lib to version 2.189.0 or later

Remediation Plan

1. High Priority (This Week):

   • Update axios to version 1.8.2 or later
   • Update xlsx to version 0.20.2 or later

2. Medium Priority (Next Two Weeks):

   • Update babel-related packages to version 7.26.10 or later
   • Update prismjs (via react-syntax-highlighter) to version 1.30.0 or later

3. Low Priority (Next Sprint):

   • Update aws-cdk-lib to version 2.189.0 or later (will resolve all CDK issues)
   • Update other SST dependencies including esbuild and fast-jwt

Dependency Update Strategy

When updating dependencies, follow these steps:

1. Create a separate PR for high-priority updates
2. Test thoroughly after updates, especially for xlsx and axios which may have API changes
3. For AWS CDK updates, ensure all infrastructure deploys correctly after updates
4. Run comprehensive test suite to catch any regressions
5. Document any API changes that required code modifications

Vulnerability Analysis

Most vulnerabilities are in transitive dependencies brought in by:

• SST framework (aws-cdk-lib, esbuild, fast-jwt)
• React component libraries (prismjs via react-syntax-highlighter)
• Core utilities (xlsx via b4m-core/utils)

Direct dependencies requiring updates:

• axios: Used for HTTP requests throughout the application
• xlsx: Used in core utilities for spreadsheet operations

Additional Notes

• The SheetJS vulnerabilities affect Excel file processing capabilities and should be prioritized if the application processes user-uploaded Excel files
• The axios SSRF vulnerability is particularly concerning for server-side code making HTTP requests based on user input