New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-9c47-m6qq-7p4h] Prototype Pollution in JSON5 via Parse Method #1541
[GHSA-9c47-m6qq-7p4h] Prototype Pollution in JSON5 via Parse Method #1541
Conversation
Hi there @jdgregson and @jordanbtucker! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
Since @jordanbtucker already updated the project-specific advisory, shouldn't there be some sort of auto-sync in place (i.e. obviating the need for this PR)? |
@ashkulz Updates to the global advisory database need to be vetted by security professionals to ensure its quality and accuracy. |
@jordanbtucker out of the interest, how long it usually takes? |
I guess people are yet to come back from the holidays 🤷♂️ |
Looking forward to getting this merged to remove false positives on 1.0.2 version we upgraded to. |
I would look at previous PRs in this repo to get an idea of an ETA and current backlog. |
For me those fixes for 2.2.2 and 1.0.2 are pretty much the same 🤔 |
45d6fec
into
jordanbtucker/advisory-improvement-1541
Hi @jordanbtucker! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
@jordanbtucker In our apps, we use json5@1.0.2, we still could see the vulnerability and its showing that it will be fixed in 2.2.2. so can you please help here by letting us know how long will it take to reflect in our apps or we need to change something from our end. |
@tapasmitamishra25 We also have |
Updates
Comments
Includes information about a backport for v1 and fixes a typo in the Mitigation section.