[AWS Lambda] Vulnerability Issue

[alinlinus]

Hey guys,

I've been working on building a Lambda layer using the base Docker image public.ecr.aws/lambda/nodejs:18. I've encountered some issues with the version of the aws-sdk installed in this base image. Specifically, the runtime includes packages with known vulnerabilities: (As far as I am concerned the runtime folder should not be touched)

• ws 8.16.0 - CVE-2024-37890 - Fixed in 8.17.1
  Location: /var/runtime/node_modules/@aws-sdk/node_modules/ws/package.json
• ws 7.5.9 - CVE-2024-37890 - Fixed in 7.5.10
  Location: /var/runtime/node_modules/@aws-sdk/node_modules/mqtt/node_modules/ws/package.json
• fast-xml-parser - CVE-2024-41818 - Fixed in 4.4.1
  Location: /var/runtime/node_modules/@aws-sdk/node_modules/fast-xml-parser/package.json

Even the newer images with updated Node.js versions (20, latest) still present these vulnerabilities. Are there any plans to release a new public Node.js image for Lambdas with an updated aws-sdk that addresses these issues?

[github-actions]

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.