Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

json5 security issue since xo 0.45.0 #700

Closed
1000i100 opened this issue Dec 30, 2022 · 2 comments
Closed

json5 security issue since xo 0.45.0 #700

1000i100 opened this issue Dec 30, 2022 · 2 comments

Comments

@1000i100
Copy link

# npm audit report

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/json5
node_modules/tsconfig-paths/node_modules/json5
  tsconfig-paths  3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
  Depends on vulnerable versions of json5
  node_modules/tsconfig-paths
    eslint-plugin-import  >=2.24.2
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-plugin-import
      xo  >=0.45.0
      Depends on vulnerable versions of eslint-plugin-import
      node_modules/xo

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force


@sindresorhus
Copy link
Member

You need to open an issue on eslint-plugin-import instead. There's nothing we can do about it here.

@sindresorhus sindresorhus closed this as not planned Won't fix, can't repro, duplicate, stale Dec 31, 2022
@1000i100
Copy link
Author

Done : import-js/eslint-plugin-import#2630
and in tsconfig-paths it's already fixed in trunk but not in npm published version.
So when tsconfig-paths publish the fixed version, and eslint-plugin-import publish the updated version, you will be able to update yours.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants