These packages are local-development emulator plugins for the Serverless framework. They run on a developer's machine against local emulators (LocalStack, DynamoDB Local, minio, …) and are not intended to run as network-exposed production services.
| Package | Supported |
|---|---|
Latest published major of each packages/* plugin |
✅ |
| Older majors | Best-effort only |
Please report suspected vulnerabilities privately via GitHub Security Advisories ("Report a vulnerability" on the repository Security tab) rather than opening a public issue. We aim to acknowledge within a few business days.
The repository's Dependabot dashboard lists alerts that are almost entirely
dev- and release-tooling only. We trace every alert to its direct
dependency and to whether it is reachable from published, installed runtime
code. The methodology: npm audit cross-checked with npm ls <pkg> to find
the importing chain.
Every published plugin's runtime (dependencies) tree resolves to:
lodash, @aws-sdk/* v3, @smithy/node-http-handler, figures, minio,
p-queue, and internal monorepo packages. None of these carry an open
advisory. The alerts on the dashboard come from elsewhere:
| Alert source (direct dep) | Role | Advisories pulled in | Ships to users? |
|---|---|---|---|
lerna (root devDep) |
Release/version tooling | tar (×8), minimatch (×3), @octokit/* (×3), sigstore, pacote, node-gyp, js-yaml, nx |
❌ No |
nyc (root devDep) |
Coverage | js-yaml, istanbul-lib-processinfo → uuid |
❌ No |
ava (root devDep) |
Test runner | supertap → js-yaml |
❌ No |
eslint (root devDep) |
Lint | minimatch, js-yaml |
❌ No |
tests/serverless-plugins-integration |
Private integration-test package ("private": true) |
aws-sdk@2 (region validation), uuid |
❌ No |
dynamodb-streams-readable (devDep) |
Dev-only since the v3 migration | uuid@9 bounds check |
❌ No |
- High-severity
tar/minimatch/@octokit/sigstoreadvisories are pulled exclusively bylernaand execute only duringlerna publish/lerna versionon a trusted maintainer machine processing this repo's own source. They are not reachable by consumers of the published packages and not reachable by any attacker-controlled input. Practical risk ≈ none. js-yaml/uuid/minimatchfromnyc/ava/eslintrun only in the local test/lint pipeline. Not shipped.- The only runtime-reachable advisory is
aws-sdk@2(Low, region-parameter validation) pulled bykinesis-readable@1.2.0, a runtime dependency ofserverless-offline-kinesis. This is being removed (see the remediation spec).
Remediation carried out:
- This document (triage record).
kinesis-readable(which pulledaws-sdk@2— the only runtime-reachable advisory) replaced by an in-house@aws-sdk/client-kinesisv3 reader. The shipped runtime trees are now advisory-free.lerna7 → 8,nyc15 → 17,ava4 → 6;uuidforced to^11.1.1; integration-test package migrated offaws-sdk@2to@aws-sdk/client-*v3.
Why some High advisories remain on the dashboard (and are accepted): they all
live in lerna's release-tooling tree and currently have no compatible fix:
tar— every published version (<= 7.5.15) is flagged; there is no patched release to upgrade to yet.minimatch— cannot be pinned globally:lerna's transpiled code needs the CommonJS default export (minimatch@<=6), whileglob@10/sigstoreneed the named-export rewrite (minimatch@>=9). A singleoverridebreaks one or the other.
Forcing these via overrides was attempted and breaks lerna (minimatch@9
drops the default export → lerna run/publish crash). Since the code is not in
any shipped or attacker-reachable path, it is documented here and dismissed on the
dashboard rather than force-patched.
Dashboard alerts whose vulnerable code is not in any execution path may be dismissed with the rationale "vulnerable code is not in the execution path".