Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jsonpath-plus is restricted to 10.2.0 which is vulnerable to CVE-2025-1302 #2779

Closed
mriedem opened this issue Feb 17, 2025 · 1 comment · Fixed by #2780
Closed

jsonpath-plus is restricted to 10.2.0 which is vulnerable to CVE-2025-1302 #2779

mriedem opened this issue Feb 17, 2025 · 1 comment · Fixed by #2780

Comments

@mriedem
Copy link

mriedem commented Feb 17, 2025

Describe the bug
jsonpath-plus is restricted to 10.2.0:

https://github.com/stoplightio/spectral/blob/%40stoplight/spectral-core-1.19.4/packages/core/package.json#L50

https://github.com/stoplightio/spectral/blob/%40stoplight/spectral-core-1.19.4/yarn.lock#L9284

So it's vulnerable to GHSA-hw8r-x6gr-5gjp.

To Reproduce

Interestingly npm audit isn't flagging this yet.

Expected behavior

Shouldn't have vulnerable dependencies; upgrade to jsonpath-plus 10.3.0.

Additional context
https://github.com/JSONPath-Plus/JSONPath/releases/tag/v10.3.0

Fix: JSONPath-Plus/JSONPath#237
@sloanesturz sloanesturz mentioned this issue Feb 19, 2025
Merged
4 tasks
@mriedem
Copy link
Author

mriedem commented Feb 24, 2025

PR #2785 is trying to bump the package version which includes the fix (#2780).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deps): update jsonpath-plus to a safe version sloanesturz/spectral
1 participant
@mriedem