Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update jsonpath-plus to a safe version #2780

Merged
merged 1 commit into from
Feb 20, 2025
Merged

chore(deps): update jsonpath-plus to a safe version #2780

merged 1 commit into from
Feb 20, 2025

Conversation

sloanesturz
Copy link
Contributor

Fixes #2779.

Checklist

  • Tests added / updated
  • Docs added / updated

Does this PR introduce a breaking change?

  • Yes
  • No

If indicated yes above, please describe the breaking change(s).

Remove this quote before creating the PR.

Screenshots

Not applicable.

Additional context

As described in the issue, #2779, jsonpath-plus v10.2.0 has a vulnerability to remote code execution. This pulls in the next minor version, which is patched.

The changes between the versions are here, and seem straightforward: JSONPath-Plus/JSONPath@v10.2.0...v10.3.0

@sloanesturz sloanesturz requested a review from a team as a code owner February 19, 2025 02:31
@sloanesturz sloanesturz changed the title Update jsonpath-plus to a safe version fix(deps): update jsonpath-plus to a safe version Feb 19, 2025
@Beretta1979
Copy link

you need to update your commit message... something like
chore(deps): update jsonpath-plus to a safe version
should be accepted

mriedem
mriedem approved these changes Feb 19, 2025
View reviewed changes
Copy link

@mriedem mriedem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functionally this looks good to me, but need to update the commit message as noted.

@sloanesturz sloanesturz changed the title fix(deps): update jsonpath-plus to a safe version chore(deps): update jsonpath-plus to a safe version Feb 19, 2025
@sloanesturz
Copy link
Contributor Author

Thank you all for your help!

@Beretta1979 @mriedem once you approve it from your end, can you publish a new version, too?

@Beretta1979
Copy link

Thank you all for your help!

@Beretta1979 @mriedem once you approve it from your end, can you publish a new version, too?

I'm not a maintainer :)

@mriedem
Copy link

mriedem commented Feb 19, 2025

I'm not a maintainer :)

same

@k0ka k0ka mentioned this pull request Feb 20, 2025
Open
@mnaumanali94 mnaumanali94 enabled auto-merge (squash) February 20, 2025 10:26
@mnaumanali94 mnaumanali94 merged commit c098156 into stoplightio:develop Feb 20, 2025
6 checks passed
@kkempsky
Copy link

Was it published? I mean, how to bump version to not have this problem?

@mriedem
Copy link

mriedem commented Feb 20, 2025

Was it published? I mean, how to bump version to not have this problem?

Not yet. @mnaumanali94 is this something you're able to release?

@k0ka
Copy link

k0ka commented Feb 23, 2025

It is still not published.
https://www.npmjs.com/package/@stoplight/spectral-core/v/1.19.4?activeTab=code
shows old 10.2.0 version. I guess we have to increase the version in the package.json for npmjs to fetch new version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mriedem mriedem mriedem approved these changes

@Beretta1979 Beretta1979 Beretta1979 approved these changes

@mnaumanali94 mnaumanali94 mnaumanali94 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

jsonpath-plus is restricted to 10.2.0 which is vulnerable to CVE-2025-1302
6 participants
@sloanesturz @Beretta1979 @mriedem @kkempsky @k0ka @mnaumanali94