Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] @asyncapi/multi-parser still depending on vulnerable version of jsonpath-plus #1065

Open
2 tasks done
BenjaminSchwendner opened this issue Nov 21, 2024 · 1 comment
Open
2 tasks done

[BUG] @asyncapi/multi-parser still depending on vulnerable version of jsonpath-plus #1065

BenjaminSchwendner opened this issue Nov 21, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@BenjaminSchwendner
Copy link

Describe the bug.

There is a vulnerability in jsonpath-plus on versions earlier than 10.0.7.
You already merged these two PRs (#1058, #1062), making the @asyncapi/parser package migrate to a safe version.
However, the @asyncapi/multi-parser package still depends on versions of @asyncapi/multi-parser (parserapiv1 as well as parserapiv2) that use older versions of jsonpath-plus (7.2.0).

Would it be possible to release patches for 2.1.0 and 3.0.0-next-major-spec.8 of @asyncapi/parser that use the safe version of jsonpath-plus and then make @asyncapi/multi-parser use these versions?

Expected behavior

@asyncapi/multi-parser should only rely on jsonpath-plus@>10.0.7

Screenshots

Here the (relevant) output of npm why jsonpath-plus after running npm install @asyncapi/multi-parser on a blank npm package:

[email protected]
node_modules/parserapiv1/node_modules/jsonpath-plus
  jsonpath-plus@"^7.2.0" from [email protected]
  node_modules/parserapiv1
    parserapiv1@"npm:@asyncapi/parser@^2.1.0" from @asyncapi/[email protected]
    node_modules/@asyncapi/multi-parser
      @asyncapi/multi-parser@"^2.2.0" from the root project

[email protected]
node_modules/parserapiv2/node_modules/jsonpath-plus
  jsonpath-plus@"^7.2.0" from [email protected]
  node_modules/parserapiv2
    parserapiv2@"npm:@asyncapi/[email protected]" from @asyncapi/[email protected]
    node_modules/@asyncapi/multi-parser
      @asyncapi/multi-parser@"^2.2.0" from the root project

How to Reproduce

Install @asyncapi/multi-parser and find the versions of jsonpath-plus that got installed.

🥦 Browser

None

👀 Have you checked for similar open issues?

  • I checked and didn't find similar issue

🏢 Have you read the Contributing Guidelines?

Are you willing to work on this issue ?

None
@BenjaminSchwendner BenjaminSchwendner added the bug Something isn't working label Nov 21, 2024
@github-actions GitHub Actions
Copy link

Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BenjaminSchwendner