aws-cdk: unmaintained transitive dependency with critical vulnerabilities

[orien]

Describe the bug

The AWS CDK has a transitive dependency on the vm2 library.

aws-cdk → proxy-agent → pac-proxy-agent → pac-resolver → degenerator → vm2

This library is no-longer maintained, as noted on the GitHub repository:

The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued.

https://github.com/patriksimek/vm2#%EF%B8%8F-project-discontinued-%EF%B8%8F

It also has unpatched critical security issues, for example: CVE-2023-37466

Expected Behavior

yarn audit reports no critical vulnerabilities.

Current Behavior

yarn audit reports 4 critical vulnerabilities, all on the vm2 library.

Reproduction Steps

yarn install
yarn audit

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.87.0

Framework Version

No response

Node.js Version

18

OS

Linux

Language

Typescript

Language Version

No response

Other information

No response

[orien]

A fix has been released in proxy-agent v6.3.0.

Upgrading proxy-agent to ^6.3.0 should resolve this issue.

aws-cdk/packages/aws-cdk/package.json

Line 114 in 357bc01

"proxy-agent": "^5.0.0",

[indrora]

Thanks for telling us about this. I'm surprised Dependabot didn't tell us about it.

tagging @aws/aws-cdk-owners for viz : Dependabot didn't catch this it looks like.

[mrgrain]

Thanks for the report! I'll get this in for the next release.