bug: json5 <2.2.2 Severity: high tsconfig-paths 3.5.0 - 3.9.0 || 3.11.0 - 3.14.1

[thameurr]

Prerequisites

• I have read the Contributing Guidelines.
• I agree to follow the Code of Conduct.
• I have searched for existing issues that already report this problem, without success.

Ionic Framework Version

• v4.x
• v5.x
• v6.x
• Nightly

Current Behavior

`# npm audit report

json5 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - GHSA-9c47-m6qq-7p4h
fix available via npm audit fix
node_modules/tsconfig-paths/node_modules/json5
tsconfig-paths 3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
Depends on vulnerable versions of json5
node_modules/tsconfig-paths

2 high severity vulnerabilities

To address all issues, run:
npm audit fix`

Expected Behavior

Getting this error one i create ionic project, or when I try to install a new package, and npm audit fix doesn't make any change.

Steps to Reproduce

Getting this error one i create ionic project, or when I try to install a new package, and npm audit fix doesn't make any change.

Code Reproduction URL

No response

Ionic Info

Ionic info :

Ionic CLI : 6.20.6 (/usr/local/lib/node_modules/@ionic/cli)
Ionic Framework : @ionic/angular 6.4.1
@angular-devkit/build-angular : 15.0.4
@angular-devkit/schematics : 15.0.4
@angular/cli : 15.0.4
@ionic/angular-toolkit : 6.1.0

Capacitor:

Capacitor CLI : 4.6.1
@capacitor/android : not installed
@capacitor/core : 4.6.1
@capacitor/ios : not installed

Utility:

cordova-res : not installed globally
native-run : 1.7.1

System:

NodeJS : v16.13.0 (/usr/local/bin/node)
npm : 8.19.2
OS : macOS

Additional Information

No response

[ionitron-bot]

Thanks for the issue! This issue has been labeled as holiday triage. With the winter holidays quickly approaching, much of the Ionic Team will soon be taking time off. During this time, issue triaging and PR review will be delayed until the team begins to return. After this period, we will work to ensure that all new issues are properly triaged and that new PRs are reviewed. In the meantime, please read our Winter Holiday Triage Guide for information on how to ensure that your issue is triaged correctly. Thank you!

[sean-perkins]

@thameurr are you creating new projects with ionic start? If so, can you share which template you are selecting?

With the blank template, I am not receiving any vulnerabilities:

found 0 vulnerabilities

[thameurr]

@sean-perkins Please note that this error showing when creating a new project Blank template (or any other template ), or when trying to install a new package using npm ...

[sean-perkins]

@thameurr can you provide a Github reproduction of the issue?

Here is my debug steps:

ionic start
? Starter template: blank
✔ Preparing directory ./ionic-gh-26555 in 1.17ms
✔ Downloading and extracting blank starter in 617.11ms
> npm i

up to date, audited 1145 packages in 2s

156 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

cd ionic-gh-26555/

npm audit fix

up to date, audited 1145 packages in 2s

156 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

I omitted some of the extra sections.

Does the new package you are trying to install have this vulnerability instead of Ionic?

[ionitron-bot]

Thanks for the issue! This issue is being closed due to the lack of a reply. If this is still an issue with the latest version of Ionic, please create a new issue and ensure the template is fully filled out.

Thank you for using Ionic!