Package is dependent on outdated version of tsconfig-paths which is dependent on vulnerable versions of json5 #2649
Comments
|
No, it doesn't, because tsconfig-paths depends on json5 with Either way, it's not a valid vulnerability for eslint-plugin-import. As is the case with almost every JS CVE, the best course of action is to do nothing until the ecosystem fixes it for you. This is a duplicate of #2625; a duplicate of #2628; a duplicate of #2626; a duplicate of #2627; a duplicate of #2631; a duplicate of #2632; a duplicate of #2634; a duplicate of #2635; a duplicate of #2636; a duplicate of #2637; a duplicate of #2639; a duplicate of #2642; a duplicate of #2643. All you need to do is update your lockfile. |
|
In case others find this post, I had to delete my node_modules folder as well as package-lock.json when using npm, otherwise it kept using the same json5 for some reason |
Package is dependent on outdated version of tsconfig-paths which is dependent on vulnerable version of json5
[email protected] depends on "tsconfig-paths": "^3.14.1"
[email protected] depends on "json5": "^1.0.1"
which is vulnerable for Prototype Pollution in JSON5 via Parse Method - GHSA-9c47-m6qq-7p4h
[email protected] has the vulnerability fixed
and this sub-dependency is fixed in [email protected] - dividab/tsconfig-paths#233
eslint-plugin-import needs a higher version of tsconfig-paths
The text was updated successfully, but these errors were encountered: