Skip to content

fix(security): remediate vulnerable deps in Lambda functions [AIS-36]#11031

Merged
Tyler Pina (tylerpina) merged 3 commits into
masterfrom
fix/lambda-deps
Jun 18, 2026
Merged

fix(security): remediate vulnerable deps in Lambda functions [AIS-36]#11031
Tyler Pina (tylerpina) merged 3 commits into
masterfrom
fix/lambda-deps

Conversation

@tylerpina

@tylerpina Tyler Pina (tylerpina) commented Jun 18, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

AIS-36

Summary

  • Bump node-fetch to 2.7.0 as a direct dep in ai-image-tagging, smartling, and typeform lambdas
  • Bump lodash to ^4.18.0 as a direct dep in ecommerce-app-base
  • Add overrides in all 7 affected Lambda package.json files to enforce minimum safe version floors for all Wiz-flagged packages: axios >=1.15.2, body-parser >=1.20.3, fast-xml-parser >=4.5.5, jws >=3.2.3, lodash >=4.18.0, minimatch >=3.1.4, node-forge >=1.4.0, protobufjs >=7.5.5, qs >=6.7.3, simple-git >=3.36.0, tar >=7.5.11, underscore >=1.13.8
  • Lock files regenerated for google-analytics-4, netlify, slack, and ecommerce-app-base; lock files for ai-image-tagging, smartling, and typeform require CI (private @contentful registry) — overrides are in place and will be enforced on next deploy

Test plan

  • CI passes for each affected Lambda
  • npm audit in google-analytics-4/lambda, netlify/lambda, and slack/lambda shows no critical/high findings for the listed packages
  • Deploy each Lambda to test stage and verify function starts successfully
  • Redeploy to prd stage and confirm Wiz findings clear (per AIS-36 DoD)

Generated with Claude Code

Tyler Pina (tylerpina) and others added 3 commits June 18, 2026 12:45
@tylerpina @claude
fix(security): remediate vulnerable deps in Lambda functions [AIS-36]
783eac7 
Bump direct deps and add npm overrides to enforce minimum safe version
floors across all affected Lambda functions per Wiz findings:
- axios >=1.15.2, body-parser >=1.20.3, fast-xml-parser >=4.5.5
- lodash >=4.18.0 (direct dep bump in ecommerce-app-base)
- minimatch >=3.1.4, node-fetch 2.7.0, node-forge >=1.4.0
- protobufjs >=7.5.5, qs >=6.7.3, simple-git >=3.36.0
- tar >=7.5.11, underscore >=1.13.8

Lock files regenerated for ga4, netlify, slack, and ecommerce-app-base.
Lock files for ai-image-tagging, smartling, and typeform require CI
(private @contentful registry) -- overrides are in place.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tylerpina @claude
fix(security): align minimatch override to >=5.1.8 in ai-image-taggin…
86b888e 
…g and typeform [AIS-36]

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tylerpina @claude
fix(security): regenerate lock files for ai-image-tagging, smartling,…
1150e0c 
… typeform lambdas [AIS-36]

Enforces override floors (minimatch >=5.1.8 and others) that were previously
inert under npm ci due to stale lock files.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tylerpina Tyler Pina (tylerpina) merged commit 3b84089 into master Jun 18, 2026
14 checks passed
@tylerpina Tyler Pina (tylerpina) deleted the fix/lambda-deps branch June 18, 2026 20:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lewisjcs Josh Lewis (lewisjcs) lewisjcs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tylerpina @lewisjcs