JSON5 Vulnerability - Prototype Pollution in JSON5 via Parse Method

Question

JSON5 Vulnerability - Prototype Pollution in JSON5 via Parse Method

raQai opened this issue a year ago · comments

Patrick Bogdan commented a year ago

Link to bug demonstration repository

GHSA-9c47-m6qq-7p4h

Expected Behavior

Audit passing

Observed Behavior

Audit failing

Troubleshooting steps

% npm audit --audit-level=high

json5  2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5

Chung Leung · Answer 1 · Tue Jan 10 2023 23:53:23 GMT+0800 (China Standard Time)

Have you tried using a package resolution? or the npm equivalent 'overrides'? This lets you override a child dependency version without having to wait for a higher one to be updated.

We had the same issue with nyc and this seemed to work for us:

  "resolutions": {
    "nyc/istanbul-lib-instrument": "^5.2.1"
  },

Patrick Bogdan · Answer 2 · Wed Jan 11 2023 18:11:49 GMT+0800 (China Standard Time)

Yea thanks for the advice 🙂 npm audit fix actually resolves the failure but I just wanted to open this issue since it was not yet addressed in nyc itself which it probably should :)

Gareth Jones · Answer 3 · Thu Jan 12 2023 02:25:38 GMT+0800 (China Standard Time)

@raQai there is nothing for nyc to address as the vulnerability is a child dependency of a dependency they rely on whose constraints allow for a patched version to be used (since running npm audit fix successfully resolves the advisory) - nyc would only need to action this if that wasn't the case.

Patrick Bogdan · Answer 4 · Thu Jan 12 2023 03:02:14 GMT+0800 (China Standard Time)

Thanks for clarifying @G-Rath 👍