Skip to content

[Aikido] Fix 5 security issues in lodash, @aws-sdk/client-sts, @aws-sdk/client-cloudfront and 4 more#24

Closed
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-17095551-6VAE
Closed

[Aikido] Fix 5 security issues in lodash, @aws-sdk/client-sts, @aws-sdk/client-cloudfront and 4 more#24
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-17095551-6VAE

Conversation

@aikido-autofix
Copy link

@aikido-autofix aikido-autofix bot commented Feb 22, 2026

Upgrades multiple dependencies to address prototype pollution, ReDoS, and AWS SDK configuration vulnerabilities that could enable remote code execution and service disruption.

✅ Code not affected by breaking changes.

No breaking changes from these package upgrades affect this codebase.

Both minimatch and @smithy/config-resolver are transitive dependencies that are not directly imported or used in the application code. The breaking changes are limited to Node.js version requirements:

  • minimatch 10.x requires Node.js 20 or 22+

  • @smithy/config-resolver 4.x requires Node.js 18+

Since the codebase already depends on @oclif/core v3.27.0 which requires Node.js >=18.0.0, the project must already be running on Node.js 18 or higher. If the project is running on Node.js 18 or 19, upgrading minimatch to 10.x would require upgrading to Node.js 20+. However, the @smithy/config-resolver upgrade would be compatible with the current setup.

The actual risk depends on the Node.js version being used in production. If already on Node.js 20+, there is no risk. If on Node.js 18-19, only the minimatch upgrade would require a Node.js version bump.

✅ 5 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2025-64718
 
MEDIUM
 [lodash] A prototype pollution vulnerability allows attackers to modify object prototypes through malicious YAML documents, potentially enabling arbitrary code execution or application compromise when parsing untrusted input. 
AIKIDO-2025-10809
 
MEDIUM
 [lodash] A prototype pollution vulnerability in object merging allows attackers to inject malicious properties via crafted YAML input, potentially leading to remote code execution, denial of service, or other security breaches. 
CVE-2025-13465
 
MEDIUM
 [lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality. 
CVE-2026-26996
 
LOW
 [lodash] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. User-controlled glob patterns can trigger hangs or extreme slowdowns, enabling denial of service attacks. 
GHSA-6475-r3vj-m8vf
 
LOW
 [lodash] Invalid region values in AWS SDK configuration could allow improper routing of API calls to non-AWS hosts if an actor with environment access sets the region field to an invalid value. A validation enhancement has been implemented to ensure regions are valid host labels.

@vercel
Copy link

vercel bot commented Feb 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cash-register-api-example-client Error Error Feb 22, 2026 11:39pm

Request Review

@aikido-autofix aikido-autofix bot closed this Feb 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants