Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability in json-ptr #261

Closed
samtstern opened this issue May 14, 2021 · 4 comments
Closed

Security vulnerability in json-ptr #261

samtstern opened this issue May 14, 2021 · 4 comments
Labels
released

Comments

@samtstern
Copy link

I am a maintainer of the firebase-tools package and we depend on exegesis. Our npm audit shows the following:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary JavaScript Execution                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-ptr                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ exegesis                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ exegesis > json-ptr                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1706                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

According to json-ptr this was fixed in version 2.1.0 or higher. The good news is that this package has already done the harder upgrade to migrate to json-ptr 1.3.1 (which had an improperly SemVer-ed major change):
#146

So getting to 2.1.0+ shouldn't be too bad.
@samtstern samtstern mentioned this issue May 14, 2021
Merged
@samtstern
Copy link
Author

Ah it looks like dependabot is already on it:
#260

@jwalton
Copy link
Contributor

jwalton commented May 14, 2021

Thanks for the heads up. I'll fix it now! :)

@jwalton
Copy link
Contributor

jwalton commented May 14, 2021

🎉 This issue has been resolved in version 2.5.7 🎉

The release is available on:

Your semantic-release bot 📦🚀

@samtstern
Copy link
Author

@jwalton amazingly fast, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jwalton @samtstern