package semver security issue

[chip-astg]

Amazon Inspector found a security issue with the current version of lambda-layer-canvas-nodejs

In package semver, version 6.3.0 has a Severity High vulnerability. The vulnerability is resolved in version 7.5.2

https://nvd.nist.gov/vuln/detail/CVE-2022-25883

Note that no other vulnerabilities were identified.

[charoitel]

@chip-astg, please update your canvas layer by deploying the latest version through AWS Serverless Application Repository, or creating a new version of your deployment by uploading the latest version from Releases. Thank you.

[chip-astg]

I deployed it a few days ago. It is the latest version canvas@2.11.2

I downloaded the layer as a zip. package-lock.json contains semver 6.0.0 and 6.3.0 in addition to 7.5.3. Perhaps Amazon Inspector is finding those?

[charoitel]

Would do some more round of works here and target to release in next release. Thank you~

[charoitel]

A new maintenance release is available through AWS Serverless Application Repository. I have tested in my Lambda with Amazon Inspector, haven't found any issue so far. Please deploy and try again. Thank you.