Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump JSON5 dependency to 2.2.2 to fix CVE-2022-46175 #232

Merged
merged 3 commits into from
Jan 1, 2023
Merged

Bump JSON5 dependency to 2.2.2 to fix CVE-2022-46175 #232

merged 3 commits into from
Jan 1, 2023

Conversation

oparisblue
Copy link
Contributor

@oparisblue oparisblue commented Dec 29, 2022
edited
Loading

Versions of JSON5 < 2.2.2 are susceptible to CVE-2022-46175.

This PR bumps this project's dependency to 2.2.2, which resolves this vulnerability. There are no other changes / no breaking changes in the version bump (changelog)

@genisd
Copy link

genisd commented Dec 29, 2022
edited
Loading

Might need to bump the version 4.1.1 in the package.json also to for example 4.1.2
A backport with a 3.x release would be really nice as well.

Version 4.1.1 loads json5 with ^2.2.1 so it can already be updated, not so much the case in the latest 3.x release

@ShaharLahav
Copy link

ShaharLahav commented Dec 29, 2022
edited
Loading

Please approve this :( @jonaskello

@codecov
Copy link

codecov bot commented Dec 29, 2022
edited
Loading

Codecov Report

Base: 68.16% // Head: 68.16% // No change to project coverage 👍

Coverage data is based on head (c091ec3) compared to base (1b71683).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #232   +/-   ##
=======================================
  Coverage   68.16%   68.16%           
=======================================
  Files           9        9           
  Lines         311      311           
  Branches       96       96           
=======================================
  Hits          212      212           
  Misses         93       93           
  Partials        6        6

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@oparisblue
Copy link
Contributor Author

Thanks for the review @genisd, bumped version to 4.1.2: 1603bab

@PythonCoderAS PythonCoderAS mentioned this pull request Dec 30, 2022
Closed
@jonaskello
Copy link
Member

Actually the version of tsconfig-paths in package.json is set automatically by the release script so it should not be incremented in the PR. @oparisblue could you please revert that commit?

@oparisblue
Copy link
Contributor Author

Reverted back to v4.1.1 @jonaskello : c091ec3

@nbouvrette nbouvrette mentioned this pull request Dec 31, 2022
Closed
@jordanbtucker
Copy link

jordanbtucker commented Jan 1, 2023
edited
Loading

I've backported a fix for json5 v1 in v1.0.2. We just have to wait for GitHub to update the advisory to reflect that, which is already in process. So tsconfig-paths@3 can be backported without any breaking changes.

@jonaskello jonaskello merged commit 9721a98 into dividab:master Jan 1, 2023
@jonaskello
Copy link
Member

Released in 4.1.2

@sspenst sspenst mentioned this pull request Jan 2, 2023
Closed
@jordanbtucker
Copy link

The security advisory is finally updated and [email protected] is recognized as patching CVE-2022-46175.

@mjperrone mjperrone mentioned this pull request Jan 3, 2023
Closed
@mihaiplesa
Copy link

v3 fix at #234

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@oparisblue @genisd @ShaharLahav @jonaskello @jordanbtucker @mihaiplesa