Skip to content

fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes #14814

Description

@anthony-nhs

Before opening, please confirm:

JavaScript Framework

React

Amplify APIs

Storage

Amplify Version

v6

Amplify Categories

Not applicable

Backend

Other

Environment information

Details
# Put output below this line


Describe the bug

aws-amplify has a dependency on fast-xml-parser

fast-xml-parser 5.7.2 has a dependency on fast-xml-builder version 1.1.5 which has a security vulnerability - GHSA-5wm8-gmm8-39j9

This is resolved in fast-xml-parser 5.7.3 - https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.7.3

Expected behavior

aws-amplify should not depend on vulnerable versions of fast-xml-builder

Reproduction steps

install eg: npm i aws-amplify
run npm audit

Code Snippet

// Put your code below this line.

Log output

Details
// Put your logs below this line


aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    StorageRelated to Storage components/categorybugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions