Skip to content

fix(security): add ws, tmp, axios overrides to smartling and ga4 lambdas [AIS-142]#11059

Merged
Tyler (tylerwashington888) merged 1 commit into
masterfrom
security/lambda-dep-overrides-ws-tmp-axios
Jul 7, 2026
Merged

fix(security): add ws, tmp, axios overrides to smartling and ga4 lambdas [AIS-142]#11059
Tyler (tylerwashington888) merged 1 commit into
masterfrom
security/lambda-dep-overrides-ws-tmp-axios

Conversation

@tylerwashington888

Copy link
Copy Markdown
Contributor

Summary

Resolves 14 open HIGH Wiz vulnerability findings on sls-apps-smartling-prd-app and sls-apps-google-analytics-4-prd-api by adding npm overrides to force safe versions of transitive dependencies that are hoisted into the Lambda deployment artifact via the Serverless Framework.

Affected resources (Wiz):

  • sls-apps-smartling-prd-app — 14 open HIGH findings
  • sls-apps-google-analytics-4-prd-api — ws + tmp findings

Root cause: axios, ws, and tmp are transitive deps of the serverless CLI package. npm hoists them to top-level node_modules, so the Serverless Framework bundles them into the Lambda zip. Wiz scans the deployed artifact and flags the vulnerable versions.

Overrides applied:

Package Vulnerable version Fixed version Apps updated
axios 1.7.7 >=1.16.0 smartling (added)
ws 7.5.9–7.5.10 >=7.5.11 smartling, ga4
tmp 0.0.33 >=0.2.7 smartling, ga4

Verified: Updated package-locks resolve to axios@1.18.x, ws@8.21.0, tmp@0.2.7.

Runtime impact: None — the Lambda handler code for both apps does not import axios, ws, or tmp directly. These packages only existed in the bundle as transitive deps of the Serverless CLI.

Test plan

  • CI passes for smartling and ga4 lambda builds and deploys
  • Wiz re-scan shows findings resolved on next scan cycle after deploy

🤖 Generated with Claude Code

Resolves 14 open HIGH Wiz vulnerability findings on sls-apps-smartling-prd-app
and sls-apps-google-analytics-4-prd-api by forcing safe versions of transitive
deps bundled via the Serverless Framework.

- axios: >=1.16.0 (smartling: added; ga4: already set)
- ws: >=7.5.11 (both: added)
- tmp: >=0.2.7 (both: added)

All three packages were hoisted to top-level node_modules and were being
packaged into the Lambda deployment artifact, making them visible to Wiz.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tylerwashington888 Tyler (tylerwashington888) changed the title fix(security): add ws, tmp, axios overrides to smartling and ga4 lambdas fix(security): add ws, tmp, axios overrides to smartling and ga4 lambdas [AIS-142] Jul 7, 2026
@tylerwashington888 Tyler (tylerwashington888) merged commit 0a8f4f5 into master Jul 7, 2026
14 of 15 checks passed
@tylerwashington888 Tyler (tylerwashington888) deleted the security/lambda-dep-overrides-ws-tmp-axios branch July 7, 2026 17:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants