[GHSA-9c47-m6qq-7p4h] Prototype Pollution in JSON5 via Parse Method

[karlhorky]

Updates

• Affected products

Comments
json5/json5#298 (comment)

---

Ah, I think I fat-fingered this and submitted before it was finished. It seems I cannot edit this PR anymore either 😬

Anyway, what I was trying to do was report that it was also fixed in the v1 line (json5@1.0.2), as noted here:

• Backport fix for CVE-2022-46175 to v1 json5/json5#298 (comment)

So what I would suggest is that the vulnerability have two versions entries:

Affected versions	Patched versions
< 1.0.2	1.0.2
>= 2.0.0, < 2.2.2	2.2.2

Similar to this xmldom vulnerability:

• GHSA-crh6-fp67-6883

[github]

Hi there @jdgregson and @jordanbtucker! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[jordanbtucker]

@karlhorky Thanks for the suggestion. If you're not able to update this PR, it might be better to close this and open a new one. I'm traveling, so I'm not able to do that right now, but if you'd like to, I can review it and give my approval. I'm not exactly sure how the GHSA process works yet.

[jordanbtucker]

I was able to open #1541 instead. This PR can be closed without merging. Thanks again!

/cc @karlhorky

[karlhorky]

Ok great thanks @jordanbtucker !