Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dev dependency json5 needs to be upgraded due to a CVE issue linked to the minimist package (CVE-2021-44906) #2951

Closed
GeccoRhiguelNavalta opened this issue Jan 10, 2024 · 1 comment
Labels

Comments

@GeccoRhiguelNavalta
Copy link

This project is currently using an older version of the json5 package, which includes [email protected] and has a vulnerability issue (CVE-2021-44906). For more details, you can refer to: https://avd.aquasec.com/nvd/2021/cve-2021-44906/

Please consider upgrading the json5 package to address this issue. You can find the latest version and release information at: https://github.com/json5/json5/blob/de344f0619bda1465a6e25c76f1c0c3dda8108d9/CHANGELOG.md?plain=1#L28

@ljharb
Copy link
Member

ljharb commented Jan 10, 2024

No, it doesn't. The latest version of json5 v1 and v2 both fix the problem, which never actually applied to us in the first place.

YOU need to update json5 in your own lockfiles if you want to avoid being notified by tooling.

Nope, because v4 drops support for engines that we support, so we can't ever upgrade past v3. Also, i'm not sure what vulnerabilities you mean; json5's vulnerability was fixed in v1 so it shouldn't be a problem.

Duplicate of #2447. Duplicate of #2660. Duplicate of #2625; a duplicate of #2628; a duplicate of #2626; a duplicate of #2627; a duplicate of #2631; a duplicate of #2632; a duplicate of #2634; a duplicate of #2635; a duplicate of #2636; a duplicate of #2637; a duplicate of #2639; a duplicate of #2642; a duplicate of #2643; a duplicate of #2649; a duplicate of #2655. Duplicate of #2888.

@ljharb ljharb closed this as not planned Won't fix, can't repro, duplicate, stale Jan 10, 2024
@ljharb ljharb added the invalid label Jan 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

2 participants