alok1111
commented
8 months ago Hello Team, can you please provide your thoughts about the issue? Is it safe to run the client in production? Do you have plans to update the dependency?
Closed alok1111 closed 8 months ago
alok1111
commented
8 months ago Hello Team, can you please provide your thoughts about the issue? Is it safe to run the client in production? Do you have plans to update the dependency?
alok1111
commented
8 months ago Also, I noticed that you already have a PR that addresses one of the vulnerabilities, but you didn't merge it, provide any response or fix the issue yourself. Why?
izaaz
commented
8 months ago @alok1111 thanks for creating this ticket. I am taking a look at this and will update soon.
alok1111
commented
8 months ago @izaaz is there any news?
izaaz
commented
8 months ago @alok1111 the patch was just released in version 1.12.1
izaaz
commented
8 months ago Correction. The package has been deployed to a staging env. I'll update this issue once it's generally available.
alok1111
commented
8 months ago @izaaz thank you for the update.
1.21.1 fixes only one vulnerability - CVE-2022-45688. Would please fix also CVE-2023-5072? To do that you need to upgrade org.json:json at least to 20231013.
Also noticed that the org.json:json versions are out of sync between demo, main and test. So probably the project tests run on a wrong version.
izaaz
commented
8 months ago Thanks @alok1111. All packages are updated and use the version 20231013. The latest version 1.12.2 is now available.
CVE-2023-5072 CVE-2022-45688
Expected Behavior
No dependencies with vulnerabilities
Current Behavior
2 High vulnerabilities
Possible Solution
Update
org.json:jsonto the recent version