Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Package is dependent on vulnerable versions of json5 #233

Closed
PythonCoderAS opened this issue Dec 30, 2022 · 8 comments
Closed

Package is dependent on vulnerable versions of json5 #233

PythonCoderAS opened this issue Dec 30, 2022 · 8 comments

Comments

@PythonCoderAS
Copy link

According to npm audit:

# npm audit report

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/tsconfig-paths/node_modules/json5
  tsconfig-paths  3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
  Depends on vulnerable versions of json5
  node_modules/tsconfig-paths
    eslint-plugin-import  >=2.24.2
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-plugin-import
      eslint-config-airbnb-base  >=15.0.0
      Depends on vulnerable versions of eslint-plugin-import
      node_modules/eslint-config-airbnb-base
        eslint-config-airbnb-typescript  >=16.0.0
        Depends on vulnerable versions of eslint-config-airbnb-base
        Depends on vulnerable versions of eslint-plugin-import
        node_modules/eslint-config-airbnb-typescript
@PythonCoderAS
Copy link
Author

PythonCoderAS commented Dec 30, 2022
edited

Fixed by #232

@1000i100 1000i100 mentioned this issue Dec 31, 2022
Closed
@chelevich chelevich mentioned this issue Jan 4, 2023
Closed
@jongolden
Copy link

Could we get a patch for 3.x as well? It's still dependent on json5@1.0.1

@mihaiplesa
Copy link

mihaiplesa commented Jan 8, 2023
edited

#234 would fix for v3 but needs a dedicated branch to be created from the v3.14.2 tag. Then I can change the base branch in my PR.

@chrisweb
Copy link

chrisweb commented Feb 20, 2023
edited

@jonaskello do you have an objection to make a v3.14.2 branch for tsconfig-paths, in which JSON5 would get bumped to v1.0.2 using mihaiplesa PR: #234?

This would be great because when that's done, then eslint-plugin-import could bump their version of tsconfig-paths from v3.14.1 to v3.14.2 (they don't want to use tsconfig-paths v4 as it would be a breaking change, so a tsconfig-paths v3.x would make sense in my opinion, see their full explanation here: import-js/eslint-plugin-import#2712 (comment))

@mihaiplesa maybe update your PRs title to "bump JSON5 from v1.0.1 to v1.0.2 in tsconfig-paths v3.14.1 to fix CVE-2022-46175" to make it clearer that this is a new PR that is different from the PR for tsconfig-paths v4.1.1 #232

after that I guess this ticket could get closed

@jonaskello
Copy link
Member

Released now in 3.14.2

@dhermes
Copy link

dhermes commented Feb 25, 2023

I just merged a change to upgrade to tsconfig-paths@3.14.2 (and transitively to json5@1.0.2). However the Dependabot alert did not resolve due to:

The earliest fixed version is 2.2.2.

I don't know the specific details on the json5 side of things, but I'm not sure json5@1.0.2 is considered valid/maintained?

@PythonCoderAS
Copy link
Author

According to the github report 1.0.2 is also valid. I think this might be a bug in dependabot.

@chrisweb
Copy link

Released now in 3.14.2

thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@chrisweb @dhermes @jonaskello @mihaiplesa @PythonCoderAS @jongolden