Package is dependent on vulnerable versions of json5
PythonCoderAS opened this issue · comments
According to npm audit
:
# npm audit report
json5 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/tsconfig-paths/node_modules/json5
tsconfig-paths 3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
Depends on vulnerable versions of json5
node_modules/tsconfig-paths
eslint-plugin-import >=2.24.2
Depends on vulnerable versions of tsconfig-paths
node_modules/eslint-plugin-import
eslint-config-airbnb-base >=15.0.0
Depends on vulnerable versions of eslint-plugin-import
node_modules/eslint-config-airbnb-base
eslint-config-airbnb-typescript >=16.0.0
Depends on vulnerable versions of eslint-config-airbnb-base
Depends on vulnerable versions of eslint-plugin-import
node_modules/eslint-config-airbnb-typescript
Fixed by #232
Could we get a patch for 3.x as well? It's still dependent on json5@1.0.1
#234 would fix for v3 but needs a dedicated branch to be created from the v3.14.2 tag. Then I can change the base branch in my PR.
@jonaskello do you have an objection to make a v3.14.2 branch for tsconfig-paths, in which JSON5 would get bumped to v1.0.2 using mihaiplesa PR: #234?
This would be great because when that's done, then eslint-plugin-import could bump their version of tsconfig-paths from v3.14.1 to v3.14.2 (they don't want to use tsconfig-paths v4 as it would be a breaking change, so a tsconfig-paths v3.x would make sense in my opinion, see their full explanation here: import-js/eslint-plugin-import#2712 (comment))
@mihaiplesa maybe update your PRs title to "bump JSON5 from v1.0.1 to v1.0.2 in tsconfig-paths v3.14.1 to fix CVE-2022-46175" to make it clearer that this is a new PR that is different from the PR for tsconfig-paths v4.1.1 #232
after that I guess this ticket could get closed
Released now in 3.14.2
I just merged a change to upgrade to tsconfig-paths@3.14.2
(and transitively to json5@1.0.2
). However the Dependabot alert did not resolve due to:
The earliest fixed version is
2.2.2
.
I don't know the specific details on the json5
side of things, but I'm not sure json5@1.0.2
is considered valid/maintained?
According to the github report 1.0.2 is also valid. I think this might be a bug in dependabot.
Released now in 3.14.2
thank you