Closed
Description
Describe the bug
Enterprise customer is running the Snyk build plugin and seeing this error, which fails their builds:
10:53:23 AM: ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304] in @aws-sdk/shared-ini-file-loader@1.0.0-rc.3
10:53:23 AM: introduced by @netlify/plugin-nextjs@3.8.0 > @sls-next/lambda-at-edge@1.8.0 > @aws-sdk/client-s3@1.0.0-rc.3 > @aws-sdk/credential-provider-node@1.0.0-rc.3 > @aws-sdk/credential-provider-process@1.0.0-rc.3 > @aws-sdk/credential-provider-ini@1.0.0-rc.3 > @aws-sdk/shared-ini-file-loader@1.0.0-rc.3
This issue was fixed in versions: 1.0.0-rc.9
The issue seems to be this plugin's dependency, @sls-next/lambda-at-edge@1.8.0, which pulls in a version of aws-sdk that has a vulnerability that I'm guessing has since been fixed. @sls-next/lambda-at-edge is now at version 3.2.0. Can we bump the version up from 1.8.0?
Not sure if this is a feature request or bug report, so feel free to re-categorize!
Expected behavior
Since Snyk plugin and this plugin are both available in the Netlify UI, they should both be able to run on sites together without issue.
Versions
- Next.js: 11.1.0
- plugin (if installed at fixed version): 3.8.0