[Snyk] Security upgrade @aws-cdk/core from 1.51.0 to 1.144.0

[m-mizutani]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	479

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[octovy-dev]

🚨 New Vulnerabilities

package-lock.json

CVE-2022-25883: nodejs-semver: Regular expression denial of service (HIGH)

• PkgName: semver
• Installed Version: 6.3.0
• Fixed Version: 7.5.2, 6.3.1, 5.7.2
• Status: fixed
• Severity: HIGH

Description

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

References

• https://access.redhat.com/errata/RHSA-2023:5362
• https://access.redhat.com/security/cve/CVE-2022-25883
• https://bugzilla.redhat.com/2216475
• https://bugzilla.redhat.com/2230948
• https://bugzilla.redhat.com/2230955
• https://bugzilla.redhat.com/2230956
• https://errata.almalinux.org/8/ALSA-2023-5362.html
• GHSA-c2qf-rxjj-qqgw
• https://github.com/npm/node-semver
• https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104
• https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
• https://github.com/npm/node-semver/blob/main/internal/re.js#L138
• https://github.com/npm/node-semver/blob/main/internal/re.js#L160
• https://github.com/npm/node-semver/blob/main/internal/re.js%23L138
• https://github.com/npm/node-semver/blob/main/internal/re.js%23L160
• npm/node-semver@2f8fd41
• npm/node-semver@717534e
• npm/node-semver@928e56d
• fix: better handling of whitespace npm/node-semver#564
• fix: better handling of whitespace (backport to v5) npm/node-semver#585
• chore: release 6.3.1 npm/node-semver#593
• https://linux.oracle.com/cve/CVE-2022-25883.html
• https://linux.oracle.com/errata/ELSA-2023-5363.html
• https://nvd.nist.gov/vuln/detail/CVE-2022-25883
• https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
• https://www.cve.org/CVERecord?id=CVE-2022-25883

✅ Fix Vulnerabilities

package-lock.json

CVE-2022-25883: nodejs-semver: Regular expression denial of service (HIGH)

• PkgName: semver
• Installed Version: 7.3.2
• Fixed Version: 7.5.2, 6.3.1, 5.7.2
• Status: fixed
• Severity: HIGH

Description

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

References

• https://access.redhat.com/errata/RHSA-2023:5362
• https://access.redhat.com/security/cve/CVE-2022-25883
• https://bugzilla.redhat.com/2216475
• https://bugzilla.redhat.com/2230948
• https://bugzilla.redhat.com/2230955
• https://bugzilla.redhat.com/2230956
• https://errata.almalinux.org/8/ALSA-2023-5362.html
• GHSA-c2qf-rxjj-qqgw
• https://github.com/npm/node-semver
• https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104
• https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
• https://github.com/npm/node-semver/blob/main/internal/re.js#L138
• https://github.com/npm/node-semver/blob/main/internal/re.js#L160
• https://github.com/npm/node-semver/blob/main/internal/re.js%23L138
• https://github.com/npm/node-semver/blob/main/internal/re.js%23L160
• npm/node-semver@2f8fd41
• npm/node-semver@717534e
• npm/node-semver@928e56d
• fix: better handling of whitespace npm/node-semver#564
• fix: better handling of whitespace (backport to v5) npm/node-semver#585
• chore: release 6.3.1 npm/node-semver#593
• https://linux.oracle.com/cve/CVE-2022-25883.html
• https://linux.oracle.com/errata/ELSA-2023-5363.html
• https://nvd.nist.gov/vuln/detail/CVE-2022-25883
• https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
• https://www.cve.org/CVERecord?id=CVE-2022-25883

⚠️ All detected vulnerabilities

package-lock.json: (11)

• CVE-2020-28472: ( aws-sdk ) Prototype Pollution via file load in aws-sdk and @aws-sdk/shared-ini-file-loader
• CVE-2021-3749: ( axios ) nodejs-axios: Regular expression denial of service in trim function
• CVE-2020-28168: ( axios ) nodejs-axios: allows an attacker to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address
• CVE-2023-45857: ( axios ) axios: exposure of confidential data stored in cookies
• CVE-2022-0155: ( follow-redirects ) follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
• CVE-2022-0536: ( follow-redirects ) follow-redirects: Exposure of Sensitive Information via Authorization Header leak
• CVE-2023-26159: ( follow-redirects ) follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()
• CVE-2024-28849: ( follow-redirects ) follow-redirects: Possible credential leak
• CVE-2022-3517: ( minimatch ) nodejs-minimatch: ReDoS via the braceExpand function
• CVE-2022-25883: ( semver ) nodejs-semver: Regular expression denial of service
• CVE-2023-0842: ( xml2js ) node-xml2js: xml2js is vulnerable to prototype pollution