Latest version of cfn-lambda uses modules with vulnerabilities

[iDVB]

We use both GitHub's built in vulnerability scanner as well as a third-party one snyk.io and there seems to be a few issues with the latest version.

https://app.snyk.io/test/npm/cfn-lambda/2.1.3

Is there a specific reason you are including aws-sdk into this bundle? Is it not good enough to lock the API versions in the code and then let it inherit the module from AWS lambda natively? Seems like that would clear up a number of issues.

[andrew-templeton]

The whole point of this, or a large portion, was to be ahead of the curve back when CloudFormation didn’t support new resources very well / had poor coverage. I can do the upgrade. It doesn’t get very many stars so I have no clue how many people still use it, given that many just download and make their own mirror. Remember, the AWS SDK in the lambda runtime is very out of date (for example it doesn’t support DynamoDB transactions) Glad to hear you’re using it I can publish a new version later

…

Sent from my iPhone

On Mar 7, 2019, at 11:53 AM, Dan Van Brunt ***@***.***> wrote: We use both GitHub's built in vulnerability scanner as well as a third-party one snyk.io and there seems to be a few issues with the latest version. https://app.snyk.io/test/npm/cfn-lambda/2.1.3 Is there a specific reason you are including aws-sdk into this bundle? Is it not good enough to lock the API versions in the code and then let it inherit the module from AWS lambda natively? Seems like that would clear up a number of issues. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[andrew-templeton]

@iDVB New version 3.1.0 uses latest and has no NPM-discovered security flaws / no deprecated packages either. Error messaging on schema validations is moderately different but contains the same information. Major version bump is because of 2 minor changes which are technically breaking (see nested SDKAlias feature #34 )

[iDVB]

Thanks @andrew-templeton !
Surprised more don’t use it. From my poking around the interwebs it seemed to be the most stared if even a small amount.

I started using it for exactly as you say, fill the clodudformation void (TranscodePipeline, TranscodePreset etc)

Am I missing the boat though? If all you need is a basic Custom Resource, are most people just coding it themselves with no framework/lib ?

[andrew-templeton]

My suspicion is that this is considered fairly advanced and not a very common thing / degree of automation.

…

Sent from my iPhone

On Mar 12, 2019, at 4:49 AM, Dan Van Brunt ***@***.***> wrote: Thanks @andrew-templeton ! Surprised more don’t use it. From my poking around the interwebs it seemed to be the most stared if even a small amount. I started using it for exactly as you say, fill the clodudformation void (TranscodePipeline, TranscodePreset etc) Am I missing the boat though? If all you need is a basic Custom Resource, are most people just coding it themselves with no framework/lib ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.