Possible vulnerability CVE-2021-4279 because of ajv-merge-patch / fast-json-patch

[joshuanapoli]

serverless-appsync-plugin depends on ajv-merge-patch@^5.0.1, which depends on fast-json-patch@^2.0.6, which leads to an CVE-2021-4279 alert for projects that depend on serverless-appsync-plugin.

The ajv-merge-patch#55 would solve the problem, but the maintainer hasn't merge in a year.

Can serverless-appsync-plugin switch away from ajv-merge-patch or move to a fork with the updated dependency?

[bboure]

Hi Josh,

Thanks for raising this. I'll have a look.

Do you have any concerns about this in the context of this plugin?

I am no expert in security, but my thinking is that this plugin is meant to be a dev dependency that runs on a local machine/CI/CD pipeline. So I would not worry too much about it.

With that said, we probably could get rid of that dependency. $merge is only used here. I'm sure we could find a replacement for it.

[joshuanapoli]

I am no expert in security, but my thinking is that this plugin is meant to be a dev dependency that runs on a local machine/CI/CD pipeline. So I would not worry too much about it.

We worry about the security of our CI/CD pipeline, since it handles valuable credentials to our cloud hosting environment and codebase. Not to mention that we would like to trust the generated artifacts.

Do you have any concerns about this in the context of this plugin?

As far as I understand, there could only possibly be an actual vulnerability if untrusted input can somehow reach the $merge. I don't think that is possible in my environment. So the issue is really just a nuisance. In my case, I will have to report the alert and explain why it isn't important to some of our customers.

If you want, I could publish a patched version of ajv-merge-patch. Solving the alert there is trivial. serverless-appsync-plugin could upgrade to use the patched replacement for ajv-merge-patch.