json5 security issue since xo 0.45.0 #700

1000i100 · 2022-12-30T15:53:01Z

# npm audit report

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install xo@0.44.0, which is a breaking change
node_modules/json5
node_modules/tsconfig-paths/node_modules/json5
  tsconfig-paths  3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
  Depends on vulnerable versions of json5
  node_modules/tsconfig-paths
    eslint-plugin-import  >=2.24.2
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-plugin-import
      xo  >=0.45.0
      Depends on vulnerable versions of eslint-plugin-import
      node_modules/xo

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

The text was updated successfully, but these errors were encountered:

sindresorhus · 2022-12-31T02:17:45Z

You need to open an issue on eslint-plugin-import instead. There's nothing we can do about it here.

1000i100 · 2022-12-31T02:27:14Z

Done : import-js/eslint-plugin-import#2630
and in tsconfig-paths it's already fixed in trunk but not in npm published version.
So when tsconfig-paths publish the fixed version, and eslint-plugin-import publish the updated version, you will be able to update yours.

sindresorhus closed this as not planned Won't fix, can't repro, duplicate, stale Dec 31, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

json5 security issue since xo 0.45.0 #700

json5 security issue since xo 0.45.0 #700

1000i100 commented Dec 30, 2022

sindresorhus commented Dec 31, 2022

1000i100 commented Dec 31, 2022

json5 security issue since xo 0.45.0 #700

json5 security issue since xo 0.45.0 #700

Comments

1000i100 commented Dec 30, 2022

sindresorhus commented Dec 31, 2022

1000i100 commented Dec 31, 2022