JSON5 Vulnerability - Prototype Pollution in JSON5 via Parse Method
raQai opened this issue · comments
Link to bug demonstration repository
Expected Behavior
Audit passing
Observed Behavior
Audit failing
Troubleshooting steps
% npm audit --audit-level=high
json5 2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5
Have you tried using a package resolution? or the npm equivalent 'overrides'? This lets you override a child dependency version without having to wait for a higher one to be updated.
We had the same issue with nyc and this seemed to work for us:
"resolutions": {
"nyc/istanbul-lib-instrument": "^5.2.1"
},
Yea thanks for the advice 🙂 npm audit fix
actually resolves the failure but I just wanted to open this issue since it was not yet addressed in nyc
itself which it probably should :)
@raQai there is nothing for nyc
to address as the vulnerability is a child dependency of a dependency they rely on whose constraints allow for a patched version to be used (since running npm audit fix
successfully resolves the advisory) - nyc
would only need to action this if that wasn't the case.
Thanks for clarifying @G-Rath 👍