Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-9c47-m6qq-7p4h] Prototype Pollution in JSON5 via Parse Method #1541

Merged
merged 1 commit into from Jan 3, 2023
Merged

[GHSA-9c47-m6qq-7p4h] Prototype Pollution in JSON5 via Parse Method #1541

merged 1 commit into from Jan 3, 2023

Conversation

jordanbtucker
Copy link

Updates

  • Affected products
  • Description
  • References

Comments
Includes information about a backport for v1 and fixes a typo in the Mitigation section.

@github
Copy link
Collaborator

github commented Dec 30, 2022

Hi there @jdgregson and @jordanbtucker! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to jordanbtucker/advisory-improvement-1541 December 30, 2022 20:52
@jordanbtucker jordanbtucker mentioned this pull request Dec 30, 2022
Closed
@jakebailey jakebailey mentioned this pull request Dec 30, 2022
Closed
@ljharb ljharb mentioned this pull request Dec 30, 2022
Closed
@ashkulz
Copy link

ashkulz commented Dec 31, 2022

Since @jordanbtucker already updated the project-specific advisory, shouldn't there be some sort of auto-sync in place (i.e. obviating the need for this PR)?

@jordanbtucker
Copy link
Author

@ashkulz Updates to the global advisory database need to be vetted by security professionals to ensure its quality and accuracy.

@jordanbtucker jordanbtucker mentioned this pull request Jan 1, 2023
Merged
@ebroder ebroder mentioned this pull request Jan 1, 2023
Closed
@sspenst sspenst mentioned this pull request Jan 2, 2023
Closed
@pkuczynski
Copy link

@jordanbtucker out of the interest, how long it usually takes?

@ashkulz
Copy link

ashkulz commented Jan 2, 2023

I guess people are yet to come back from the holidays 🤷‍♂️

@kenkku kenkku mentioned this pull request Jan 2, 2023
Closed
@gustaff-weldon
Copy link

Looking forward to getting this merged to remove false positives on 1.0.2 version we upgraded to.

@eigan eigan mentioned this pull request Jan 2, 2023
Closed
@jordanbtucker jordanbtucker mentioned this pull request Jan 2, 2023
Closed
@jordanbtucker
Copy link
Author

jordanbtucker commented Jan 2, 2023
edited

I would look at previous PRs in this repo to get an idea of an ETA and current backlog.

@jordanbtucker jordanbtucker mentioned this pull request Jan 2, 2023
Closed
@chappjc chappjc mentioned this pull request Jan 2, 2023
Merged
@ljharb ljharb mentioned this pull request Jan 2, 2023
Closed
@jpveooys jpveooys mentioned this pull request Jan 3, 2023
Merged
@viceice viceice mentioned this pull request Jan 3, 2023
Closed
@viceice
Copy link

viceice commented Jan 3, 2023

For me those fixes for 2.2.2 and 1.0.2 are pretty much the same 🤔

This was referenced Jan 3, 2023
Closed
Closed
@advisory-database advisory-database bot merged commit 45d6fec into jordanbtucker/advisory-improvement-1541 Jan 3, 2023
@advisory-database advisory-database bot deleted the jordanbtucker-GHSA-9c47-m6qq-7p4h branch January 3, 2023 15:04
@advisory-database
Copy link
Contributor

Hi @jordanbtucker! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@petergphillips petergphillips mentioned this pull request Jan 3, 2023
Merged
@jordanbtucker jordanbtucker mentioned this pull request Jan 3, 2023
Closed
@idanrozin idanrozin mentioned this pull request Jan 4, 2023
Closed
@tapasmitamishra25
Copy link

@jordanbtucker In our apps, we use json5@1.0.2, we still could see the vulnerability and its showing that it will be fixed in 2.2.2. so can you please help here by letting us know how long will it take to reflect in our apps or we need to change something from our end.
Thanks!

@eugene1g
Copy link

eugene1g commented Jan 4, 2023
edited

@tapasmitamishra25 We also have json5@1.0.2 and our vulnerability scanner (trivy) stopped flagging that version. On some CI machine we had to update the scanner database for it to pick up the latest updates for this advisory, but I suspect this PR resolved the issue at the root.

@yangricardo yangricardo mentioned this pull request Apr 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljharb ljharb ljharb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@jordanbtucker @github @ashkulz @pkuczynski @gustaff-weldon @viceice @tapasmitamishra25 @eugene1g @ljharb