Closed oparisblue closed 1 year ago
genisd
commented
1 year ago Might need to bump the version 4.1.1 in the package.json also to for example 4.1.2
A backport with a 3.x release would be really nice as well.
Version 4.1.1 loads json5 with ^2.2.1 so it can already be updated, not so much the case in the latest 3.x release
ShaharLahav
commented
1 year ago Please approve this :( @jonaskello
codecov[bot]
commented
1 year ago Base: 68.16% // Head: 68.16% // No change to project coverage :thumbsup:
Coverage data is based on head (
c091ec3) compared to base (1b71683). Patch has no changes to coverable lines.
:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.
oparisblue
commented
1 year ago Thanks for the review @genisd, bumped version to 4.1.2: https://github.com/dividab/tsconfig-paths/pull/232/commits/1603babdc92f093c8907a62b09a5bc8bbc1bea84
jonaskello
commented
1 year ago Actually the version of tsconfig-paths in package.json is set automatically by the release script so it should not be incremented in the PR. @oparisblue could you please revert that commit?
oparisblue
commented
1 year ago Reverted back to v4.1.1 @jonaskello : https://github.com/dividab/tsconfig-paths/pull/232/commits/c091ec3612397988aca7ad4acd362a61b92fc4b7
jordanbtucker
commented
1 year ago I've backported a fix for json5 v1 in v1.0.2. We just have to wait for GitHub to update the advisory to reflect that, which is already in process. So tsconfig-paths@3 can be backported without any breaking changes.
jonaskello
commented
1 year ago Released in 4.1.2
jordanbtucker
commented
1 year ago The security advisory is finally updated and json5@1.0.2 is recognized as patching CVE-2022-46175.
mihaiplesa
commented
1 year ago
Versions of JSON5 < 2.2.2 are susceptible to CVE-2022-46175.
This PR bumps this project's dependency to 2.2.2, which resolves this vulnerability. There are no other changes / no breaking changes in the version bump (changelog)