Security Vulnerability in `jsonpath-plus` Dependency

**Description:**
I am using the api package and recently encountered a critical security vulnerability caused by a transitive dependency on `jsonpath-plus`. This package is vulnerable to remote code execution (RCE) in versions prior to 10.0.7, as outlined in [GitHub Advisory GHSA-pppg-cpfq-h7wr](https://github.com/advisories/GHSA-pppg-cpfq-h7wr).

**Issue:**
When manually upgrading oas to `25.2.1` to mitigate the vulnerability, compatibility issues arise with `@readme/api` due to breaking changes introduced in `oas` versions between `25.0.2` and `25.2.1`.

**Request:**
Please update the oas dependency to `^25.2.1` or later within @readme/api.

**Steps to Reproduce**
- Install `@readme/api`.
- Run `npm` audit to identify the vulnerability in `jsonpath-plus`.
- Upgrade `oas` to `25.2.1`.
- Attempt to use `@readme/api` and observe compatibility issues due to breaking changes in `oas`.

**References**
[GitHub Advisory GHSA-pppg-cpfq-h7wr](https://github.com/advisories/GHSA-pppg-cpfq-h7wr)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Vulnerability in `jsonpath-plus` Dependency #969

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security Vulnerability in jsonpath-plus Dependency #969

Description