tsconfig-paths contains json5 vulnerability #2631
Comments
|
json5 v1.0.2 has already been updated with this fix, and either way, it's not a valid vulnerability. As is the case with almost every JS CVE, the best course of action is to do nothing until the ecosystem fixes it for you. This is a duplicate of #2625; a duplicate of #2628; a duplicate of #2626; a duplicate of #2627. |
|
I mean that the vulnerability is in the The best place for the fix is the vulnerable package itself - luckily, the json5 maintainers published a fix on both the v1 and v2 lines. That means that there's nothing anybody has to do except update their lockfiles - no intermediate maintainers need to release updates, or need issues filed, etc. |
|
Ah ok I understand,
Eslint-plugin-import uses version 3 of tsconfig-paths, which that uses jsin5 version 1
Where they pushed a fix into tsconfig-paths version 4, which uses json5 version 2
So two ways of solving is, update Eslint-plugin-import to version 4 of tsconfig-paths which has the fixed version of Jason 5
Or the better solution
Json5 should have the fixed (ported?/added?) To version 1, and in that case, eslint-plugin-import nor tsconfig-paths has to do anything at all
Sound about correct?
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Jordan Harband ***@***.***>
Sent: Saturday, December 31, 2022 1:36:18 AM
To: import-js/eslint-plugin-import ***@***.***>
Cc: Tanner Summers ***@***.***>; Author ***@***.***>
Subject: Re: [import-js/eslint-plugin-import] tsconfig-paths contains json5 vulnerability (Issue #2631)
I mean that the vulnerability is in the json5 package. tsconfig-paths happens to depend on that, and eslint-plugin-import happens to depend on tsconfig-paths.
The best place for the fix is the vulnerable package itself - luckily, the json5 maintainers published a fix on both the v1 and v2 lines. That means that there's nothing anybody has to do except update their lockfiles - no intermediate maintainers need to release updates, or need issues filed, etc.
—
Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fimport-js%2Feslint-plugin-import%2Fissues%2F2631%23issuecomment-1368179153&data=05%7C01%7C%7Ca747440fcb4e4c637e7608daeb01b550%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638080689819988241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wjLH79BlI7G037tZqj8s4jakKOCXHDaeL6iknRTtZqY%3D&reserved=0>, or unsubscribe<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACDUUD3QDU7VAD62D4UGMSTWP7O7FANCNFSM6AAAAAATNMWIJE&data=05%7C01%7C%7Ca747440fcb4e4c637e7608daeb01b550%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638080689819988241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0ddwSf%2FNT9ZazF00SjNFmJvOSg0mgc5mKvCKW53akVo%3D&reserved=0>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Yes, exactly - and json5 v1.0.2 is that fixed version, it's just that the audit warning hasn't been updated to reflect that yet. |
|
github/npm controls that. GIven that it's a holiday week, it probably won't happen until Monday. |
I am seeing this with our team
for this vulnerability, GHSA-8cf7-32gw-wr33
now
tsconfig-pathshas a fix coming out, but there PR is for there major version 4.x (https://github.com/dividab/tsconfig-paths/pull/2320) while i noticed, the eslint-plugin-import library only allows"tsconfig-paths": "^3.14.1"which if i remember correctly, will not pull up the version 4.is there anything that can be done?
The text was updated successfully, but these errors were encountered: