Describe the bug
aws-cdk-lib currently depends (transitively) on a vulnerable version of minimatch (<10.2.1), which is affected by a high severity ReDoS vulnerability:
- Advisory: GHSA-3ppc-4f35-3m26
- Description: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
- Severity: High
This vulnerability is flagged by npm audit in projects using aws-cdk-lib.
Affected dependency tree:
From npm audit:
minimatch <10.2.1
Severity: high
node_modules/aws-cdk-lib/node_modules/minimatch
aws-cdk-lib depends on vulnerable versions of minimatch.
Expected Behavior
aws-cdk-lib should upgrade to a non-vulnerable version of minimatch (>= 10.2.1), or update the dependency chain so that vulnerable versions are no longer pulled in.
Current Behavior
High sev in minimatch which is a transitive dependency of aws-cdk-lib is causing npm audit checks fail.
minimatch <10.2.1
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
node_modules/aws-cdk-lib/node_modules/minimatch
...
aws-cdk-lib *
Depends on vulnerable versions of minimatch
node_modules/aws-cdk-lib
cdk-cross-account-route53 *
Depends on vulnerable versions of aws-cdk-lib
node_modules/cdk-cross-account-route53
cdk-nag >=2.0.0
Depends on vulnerable versions of aws-cdk-lib
node_modules/cdk-nag
Reproduction Steps
Run npm audit
Possible Solution
No response
Additional Information/Context
No response
AWS CDK Library version (aws-cdk-lib)
2.236.0
AWS CDK CLI version
2.1104.0
Node.js Version
22.20.0
OS
Debian GNU/Linux 13 (trixie)
Language
TypeScript
Language Version
No response
Other information
No response
Describe the bug
aws-cdk-lib currently depends (transitively) on a vulnerable version of minimatch (<10.2.1), which is affected by a high severity ReDoS vulnerability:
This vulnerability is flagged by npm audit in projects using aws-cdk-lib.
Affected dependency tree:
From npm audit:
aws-cdk-lib depends on vulnerable versions of minimatch.
Expected Behavior
aws-cdk-lib should upgrade to a non-vulnerable version of minimatch (>= 10.2.1), or update the dependency chain so that vulnerable versions are no longer pulled in.
Current Behavior
High sev in minimatch which is a transitive dependency of aws-cdk-lib is causing npm audit checks fail.
Reproduction Steps
Run
npm auditPossible Solution
No response
Additional Information/Context
No response
AWS CDK Library version (aws-cdk-lib)
2.236.0
AWS CDK CLI version
2.1104.0
Node.js Version
22.20.0
OS
Debian GNU/Linux 13 (trixie)
Language
TypeScript
Language Version
No response
Other information
No response